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(57)Abstract: 

PROBLEM TO BE SOLVED: To realize secure communication between instruments 
belonging to^a group which is constituted of instruments accepted by users. 
SOLUTION: In a group management processing part 302, an encryption key used for 
cryptocommunication in a group is formed and stored in an own storage part and a 
storage medium together with information required for cryptocommunication. By using 
the storage medium, information required to perform cryptocommunication with 
oneself is transmitted to the other instrument which already belongs to the group. 
When leaving the group, information for performing cryptocommunication which the 
user himself owns is deleted, own leaving is informed to the other instruments, and 
information about the instrument to be leaving in the instruments which received 
notification is asked to be deleted. From instruments in the group, instruments 
selected by users are made a subgroup. An encryption key used for 
cryptocommunication in the subgroup is formed. Information required for 
cryptocommunication and subgroup information are transmitted to instruments 
belonging to the other subgroup by cryptocommunication using the encryption key of 
the group. 
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CLAIMS 



[Claim(s)] 
[Claim 1] 

It is the network device which communicates with other network devices connected 
through the network. 

The group management tool which manages as a group said network device of each 
other which can be attested, 

A cryptocommunication means to perform cryptocommunication with a common 
encryption key between said network devices which carry out group affiliation, 
A storage means to store cryptocommunication information required in order to 
perform the network device and cryptocommunication containing identification 
information including the host name and the address of a network device which belong 
to the information and said group of said encryption key which belong to said group, 
It has an acquisition means to acquire information from the exterior, 
Said group management tool. 

If said cryptocommunication information is acquired in said acquisition means in the 
condition that said cryptocommunication information is not stored in said storage 
means, while storing the cryptocommunication information concerned in said storage 
means, own identification information is transmitted to the network device which 
belongs to said group through said cryptocommunication means, 



said cryptocommunication means — minding — from other network devices — being 
concerned — others — the network device which will be characterized by adding the 
identification information concerned to said cryptocommunication information 
memorized for said storage means if the identification information of a network device 

is acquired. 
[Claim 2] 

It is a network device according to claim 1, 
Said group management tool is , 

If the directions which secede from a group in said acquisition means are received, 
while notifying balking of an own network device to all the network devices that 
belong to said group memorized by said storage means through said 
cryptocommunication means, said cryptocommunication information is deleted from 

said storage means, 

said cryptocommunication means — minding — from other network devices — being 

concerned — others — from said cryptocommunication information which will have 

been memorized for said storage means if the notice from which a network device 

secedes is received — being concerned — others — the identification information of 

a network device is deleted 

The network device characterized by things. 

[Claim 3] 

It is a network device given in either of claims 1 or 2, 
Said acquisition means is the interface of a storage, 
Said group management tool is , 

The network device characterized by copying the cryptocommunication information 
stored in said storage means to said storage when the storage with which said 
cryptocommunication information was stored is inserted in said acquisition means in 
the condition that said cryptocommunication information is stored in said storage 
means. 
[Claim 4] 

It is a network device given in either of claims 1 , 2, or 3, 

A non-cryptocommunication means to perform non-cryptocommunication, 

It has further an access-control means to control access to the service which said 

network device offers, 

Said access-control means is a network device characterized by permitting said 
access when it is a thing to the port where said access was beforehand defined when 
there was access from other network devices through said non-cryptocommunication 
means. 
[Claim 5] 

In the network system equipped with the network which connects two or more 
network device and said two or more network devices, 

Said two or more network devices are network devices according to claim 1 to 4. 



The network system characterized by things. 
[Claim 6] 

They are other devices connected through the network, and the group management 
method which manages the group who performs mutually cryptocommunication which 

can be attested, 

The group generation step which holds the identification information which generates 
the encryption key used for said cryptocommunication in one device connected to 
said network, and includes the host name and the address of an encryption key and a 
self-device concerned as cryptocommunication information, 
The 1st group participating step which notifies the information which shows own 
identification information and participation to the complete aircraft machine with 
which said identification information is stored in said cryptocommunication information 
in the device which acquired said cryptocommunication information by said 
cryptocommunication, and adds and holds own identification information to the 
cryptocommunication information concerned, 

The 2nd group participating step which adds the identification information concerned 
to said cryptocommunication information which self holds in the device which 
received the information which shows the identification information concerned and 

said participation, 

The 1st group balking step which deletes said cryptocommunication information which 
notifies the information which shows balking to the complete aircraft machine with 
which said identification information is stored in said cryptocommunication information 
except self in the device which received the directions which secede from said group, 
and own identification information by said cryptocommunication, and self holds, 
The group management method characterized by having the 2nd group balking step 
which deletes the identification information which received the notice from said 
cryptocommunication information which self holds in the device which received the 
notice of the balking concerned. 
[Claim 7] 
Computer, 

A group generation means to hold the identification information which generates the 
encryption key used for cryptocommunication and includes the host name and the 
address of the encryption key concerned and self as cryptocommunication 
information, 

The 1 St group participating means which notifies the information which shows own 
identification information and participation to the complete aircraft machine with 
which said identification information is stored in said cryptocommunication information 
when said cryptocommunication information is acquired by said cryptocommunication, 
and adds and holds the identification information of said self to said 
cryptocommunication information. 

The 2nd group participating means which will add the identification information 



concerned to said cryptocommunication information wliich self holds if the information 
which shows the identification information of other devices to the device concerned 

and participation is received, 

The 1 St group balking means which deletes said cryptocommunication information 
which notifies the information which shows balking to the complete aircraft machine 
with which said identification information is stored in said cryptocommunication 
information except self when the directions which delete said cryptocommunication 
information are received, and the identification information of said self by said 
cryptocommunication, and self holds, 

The 2nd group balking means which deletes the identification information which 
received from said cryptocommunication information which self holds when the 
information which shows the identification information of other devices and said 

balking was received, 

The program for making it function by carrying out. 
[Claim 8] 

It is a network device according to claim 1 or 2, 

The network device contained in the 1st group connected to said network is displayed, 
and it has a selectable interface means, 

Said group management tool manages said selected network device as the 2nd group. 
Said storage means stores the cryptocommunication information containing 
identification information including the host name and the address of the network 
device which belongs to said the 2nd encryption key and said 2nd group, 
Said cryptocommunication means is a network device characterized by performing 
cryptocommunication with the 2nd common encryption key into said 2nd group. 
[Claim 9] 

It is a network device according to claim 8, 

The network device characterized by having a means to transmit said 
cryptocommunication information enciphered using said 1st group's encryption key to 
the network device which belongs to said 2nd group. 
[Claim 10] 

It is a network device according to claim 8, 

Said storage means is stored as said 2nd group's cryptocommunication information, 
when said cryptocommunication information enciphered with said 1 st group's 
encryption key is acquired from other network devices, 

The network device characterized by performing the 2nd group communication link by 
the cryptocommunication using said 2nd cryptographic key. 
[Claim 11] 

It is a network device according to claim 8, 

Said interface means by which a user can set up the 2nd user-identification 

information and confidential information corresponding to a group. 

Said storage means to store group information which consists of said user- 



identification information, confidential information, said 2nd group's 
cryptocommunication information, and an authentication key generated in the 2nd 
corresponding group identification descriptor and the corresponding self-networl< 
device, 

A means to store said 2nd group information in a storage. 

Said 2nd group information is enciphered with said 1 at group's encryption key, and it 
has a means to transmit to all the network devices belonging to the 2nd group. 
Said storage means is a network device characterized by storing said group 
information decrypted using said 1st encryption key, when said 2nd enciphered group 
information is received. 
[Claim 12] 

It is a network device according to claim 1 1 , 

A means to check that it is the same as that of the value memorized by said storage 
in the user-identification information which the self-device has managed, and 
confidential information, 

It has a means to search the 2nd cryptographic key which the device corresponding 

to the group identification information memorized by said storage manages. 

The network device characterized by performing cryptocommunication among said 

2nd group using said 2nd cryptographic key. 

[Claim 13] 

Claims 8 or 1 1 are the network devices of a publication either, 

The network device which has said interface means is a network device characterized 
by decrypting using said 1 st encryption key and storing said group information in said 
storage means when said 2nd enciphered group information is received. 

[Claim 14] 

Claims 8 or 1 1 are the network devices of a publication either, 
A storage means to store the transmitting agency port number of said application 
when starting the application which needs the communication link with other network 
devices belonging to said 2nd group, 

When a packet is transmitted from said application, it has a means by which said 
management port number remembered to be the transmitting agency port number of 
said packet checks coincidence. 

The network device by which it is transmitting [ said packet ]-by the 2nd group 
communication link by cryptocommunication using said 2nd cryptographic key only in 
case of being in agreement characterized. 
[Claim 15] 

In the network device of any of claims 8 or 1 1 , or a publication, 

The network device characterized by having a storage means to add and store in a 

front storage the address of the network device which stores said group information 

in said storage. 

[Claim 16] 



In the network device of any of claims 8 or 1 1 , or a publication, 
While storing said group information in said storage, 

The network device characterized by carrying out additional storing of the identifier 
and the address of all the network devices belonging to said 2nd group at said storage. 

[Claim 17] 

It is the network system characterized by said two or more network devices being 
one network devices of claim 8 to claims 1 6 in the network system equipped with the 
network which connects two or more network device and said two or more network 
connection devices. 

[Claim 18] 

In the network system to which the 1 st network device which performs a group 
communication link, and the 2nd network device which does not perform a group 
communication link are connected, 
Said 2nd network device, 

The means which reads the user-identification child, the confidential information, the 
group identification descriptor, the authentication key, and the address on a storage 
through a storage according to claim 1 5, 

An interface means by which a user inputs a user-identification child and confidential 

information, 

A means to check that the value which inputted the user-identification child and 
confidential information on a storage is in agreement, 

A means to encipher said user-identification child and confidential information with an 
authentication key, and to transmit said user-identification child who enciphered, and 
confidential information and a group identification descriptor to said addressing to the 
address. 

It has a means to receive the 2nd common encryption key enciphered with said 
authentication key. 

The network device characterized by performing cryptocommunication with said 2nd 
common encryption key when said user communicates. 
[Claim 19] 

In the 2nd network device according to claim 18, 

A means to display the identifier and the address of a network device on a storage on 
a user through a storage according to claim 16, 

A means to choose a network device to connect from the network device by which 
the user was displayed. 

The network device characterized by having a means to transmit the user- 
identification child who enciphered with the authentication key on a storage to the 
address of the network device which the user chose, and confidential information and 
a group identification descriptor. 
[Claim 20] 

Claims 1 8 or 1 9 are the network devices of a publication either, 



Said 1st network device, 

A means to receive said user-identification child who enciphered, and confidential 
information and a group identification descriptor in said 2nd network device, 
A means to search the authentication key which becomes the group identification 
descriptor managed by the device, and a pair from said group identification descriptor 
which received, 

A means to decrypt confidential information with a user-identification child using said 
authentication key, 

A means to check whether confidential information is in agreement with a group 
identification descriptor and the user-identification child who manages by the 
corresponding device, 

The 2nd common encryption key managed by the device which becomes said group 
identification descriptor and pair is enciphered with said authentication key, and it has 
a means to transmit to the 2nd network device, 

The network device characterized by performing an encryption communication link 
with the 2nd common encryption key to the communication link with the 2nd network 

device. 
[Claim 21] 

It is a network system, 

The network device according to claim 20 which performs a group communication link, 
and claims 18 or 19 which do not perform a group communication link are the network 
system characterized by connecting the network device of a publication either. 
[Claim 22] 

It is a group management method according to claim 6, 

The selection step as which the network device belonging to a group is chosen, 
other encryption keys each other used for the cryptocommunication which can be 
attested between said selected network devices — generating — being concerned — 
others — the host name of an encryption key and the network device belonging to 
said 2nd group, and the 2nd group coding information generation step which holds the 
cryptocommunication information containing identification information including the 
address, 

The 2nd group coding information distribution step which notifies said 
cryptocommunication information to the network device which enciphers using said 
encryption key and belongs to said 2nd group, 

The group participating step to which the device which received said 2nd 
cryptocommunication information holds the 2nd cryptocommunication information 
concerned, 

The 2nd group information generation step which holds user-identification information, 
the confidential information which the user created, said 2nd group's 
cryptocommunication information, the 2nd corresponding group identification 
descriptor, and group information that consists of a generated authentication key, and 



stores said information in a storage, 

The 2nd group information distribution step notified to the network device which 
enciphers the 2nd group's group information and belongs to said 2nd group using said 
encryption key, 

The group management method characterized by having the group access privilege 
setting step to which the device which received said 2nd group information holds said 
group information. 
[Claim 23] 

It is a group management method according to claim 22, 
The user authentication step to which the user-identification information and 
confidential information which the device has managed check that it is the same as 
that of the value on said storage, 

The group management method characterized by having the cryptocommunication 
preparation step which holds the port number of application. 
[Claim 24] 

In a program according to claim 7, 

A selection means by which the network device belonging to a group is chosen, 
The 2nd group coding information generation means which memorizes the 
cryptocommunication information containing identification information including the 
host name and the address of the network device which generates the encryption key 
each other used for the cryptocommunication which can be attested, and belongs to 
an encryption key and said 2nd group concerned between said selected network 
devices, 

2nd group coding information distribution means to encipher the 2nd group's 
cryptocommunication information and to notify to the network device which belongs 

to said 2nd group using said encryption key, 

A group participating means to hold cryptocommunication information in the device 
which received said 2nd cryptocommunication information, 

User-identification information, the confidential information which the user created, 
said 2nd group's cryptocommunication information, and the 2nd corresponding group 
identification descriptor, And the 2nd group information generation means which 
memorizes group information which consists of a generated authentication key, and 
stores said information in a storage, 2nd group information distribution means to 
encipher the 2nd group's group information and to notify to the network device which 
belongs to said 2nd group using said encryption key, 

A group access privilege setting means to memorize group information in the device 
which received said 2nd group information, 

A user authentication means to check that it is the same as that of the value on said 
storage in the user-identification information and confidential information which the 
device has managed through said storage when a user uses a network device, 
A cryptocommunication preparation means to hold the port number of the application 



which a user uses, 

A means to perform cryptocommunication with the 2nd group's encryption key when 
in agreement, if the port number of a transmitting packet holds when carrying out 
packet transmission to the device belonging to the 2nd group, 
The program for making it function by carrying out. 



DETAILED DESCRIPTION 



[Detailed Description of the Invention] 
[0001] 

[Field of the Invention] 

This invention relates to exclusive between the specific devices linked to a network, 

and the technique which communicates safely. 

[0002] 

[Description of the Prior Art] 

Internet IP network which uses the communications protocol called Protocol 
(hereafter referred to as IP) establishes the status as a de facto standard of a 
computer network, and its spread in a general user is remarkable. 
[0003] 

In order to exchange data between devices through this IP network, it is required for 
each of that device to give an IP address uniquely. Although IPv4 (Internet Protocol 
version 4) which expresses an IP address with 32 bits is used in current, use of IP 
network takes for increasing and is posing the problem that lack of an IP address is 
big. 
[0004] 

Against the background of such a situation, an IP address is extended to 128 bits, 
IPv6 (Internet Protocol version 6) is adopted in IETF (Internet Engineering Task 
Force) as an IP network using the new IP address which added further the function 
which was not in old IP addresses, such as a security function, and the network 
service using it is being standardized as the next generation IP. 
[0005] 

Furthermore, the usable number of the addresses increases and the home network 
which consists of domestic devices called AV equipments, such as white home 
appliances, such as a refrigerator and a washing machine, or television, and video, 
attracts attention as a new application place of IPv6 in which the security function 
was substantial. 
[0006] 

It considers being able to consider now that each device is a server, and the 



communication link between devices realizing new service, or realizing new service 
through the Internet, such as control of the device from an external terminal, and 
control of the device from a service center, by IP address quota to each of 

these devices. 
[0007] 

By the way, in the communication link between specific devices like a domestic 
device, a system which eliminates the actuation from the device out of range which 
the user recognizes is required. For example, the selfish actuation by the device 
which the friend brought needs to be prevented. 

[0008] 

That is, a user determines the range which permits a mutual communication link, and 
a system by which grouping of those devices is carried out, and a communication link 
is made only between the devices by which grouping was carried out is required. And 
in order to realize such a communication link, the authentication function for attesting 
that it is the Shinsei device which belongs each other in a group between the devices 
in a group is required. 
[0009] 

As such an authentication function, what used the authentication server is realized in 
the conventional client and the system of a server mold. For example, in RADIUS 
(Remote Authentication DiaHn User Service) defined by RFC2865, it judges whether 
package management of the account (a user name, password) of the client which 
accesses a server is carried out by the authentication server called a RADIUS server, 
a server transmits the access request (a user name and a password are included) 
from a client to a RADIUS server, and the communication link with a client is 
performed in response to the decision result of access propriety. 
[0010] 

For example, as the cryptocommunication system and its correspondence procedure 
between the conventional specific devices by which grouping was carried out, there 
are some which are shown in the patent reference 1 or the patent reference 2, for 
example. 
[0011] 

[Patent reference 1] JP,2002-124941,A 

[Patent reference 2] JP,5-34761 6,A 
[0012] 

[Problem(s) to be Solved by the Invention] 

In order to perform a communication link predetermined only between the devices 
specified by a user in the device connected to the home network, the function which 
attests that it is the device by which the partner of each other was specified is 
considered to be the need. 
[0013] 

A client/server system is a premise and the conventional authentication function is 



realized by having the authentication server which manages the access information of 
the client which accesses a server. 

[0014] 

On the other hand, the device which constitutes a home network is the ad hoc mold 
of communicating between required devices according to service suitably. For this 
reason, there is a problem that all devices can become a server and a client and a 
setup of access information becomes more complicated. 
[0015] 

In such a case, when it has an authentication server like before and is made to attest 
according to an individual for every session activation between devices, and every 
service initiation, there is also a problem that the overhead of authentication becomes 
large. 
[0016] 

For example, the technique indicated by the above-mentioned patent reference 1 is 
group communication system with an authentication function. This technique reaches 
with the group cryptographic key Management Department having the function to 
manage the terminal information which belongs in group communication system at the 
function and group who generate a group cryptographic key in addition to the device 
which constitutes a group, it is equipped with repeating installation, is constituted and 
is premised on large-scale network configuration. 
[0017] 

Moreover, the technique indicated by the above-mentioned patent reference 2 must 
possess the IC card first for every device which performs a group communication link. 
And two or more master keys and group key generators which were beforehand set 
up for every affiliation of a transceiver partner need to be recorded on the IC card. 

[0018] 

Thus, in the Prior art, the device which serves as an authentication server in addition 
to the device which actually communicates needed to be prepared, and only the 
number of the devices which constitute a group needed to prepare the record medium 
which makes the complicated information of the relation between a master key and 
each communications-partner point memorize beforehand. 
[0019] 

Since use of the device by the third person cannot be barred even if it constitutes 
the group of a device, it attests between the device and it realizes a safe 
communication link, selfish actuation which a user does not expect may be performed. 
That is, there is a problem that the access control of the user level using the user 
using a group and a device cannot be performed. 

Moreover, there is a problem that the device which can be used by the user cannot 
be restricted, either. 

In addition, it is applicable only to a communication link between the devices arranged 
at the local network to which the location was fixed called a domestic network. Since 



this uses IPsec, in order to judge whether it is the device which constitutes a group, 
in addition to a share key, it is based on that the pair of a transmission place IP 
address and a receiving agency IP address needs to be immobilization. When the 
device which constituted the group moves from a local network, the technical problem 
that the access control by group communication link is inapplicable occurs. 
[0020] 

This invention was made in view of such a situation, and the purpose of this invention 
constitutes the group who can attest each other mutually easily between the devices 
which the user accepted, and is to realize the safe communication link between the 

devices belonging to the group. 
[0021] 

Furthermore, other purposes of this invention are to realize the access control of 
permitting access only to the application, from the device besides a group, when some 
which also permit access to the device besides a group are in the application which 
the device in a group offers. 
[0022] 

Other purposes of this invention are realizing the access control of the user using a 
subgroup while constituting the subgroup which limits a user in the group who 
constituted between the devices which the user accepted. 
[0023] 

Other purposes of this invention are to realize safe access/control to the device 
which constitutes a subgroup from the place which the distance with a physical user 
left. 
[0024] 

In addition, this application solves at least one of the above-mentioned purposes. 

[0025] 

[Means for Solving the Problem] 

This invention attests each other by performing cryptocommunication using a shared 
key, considers that the assembly of a device which performs the communication link 
from which security was secured is a group, and has the means of group management 
of each [ each device ] and generating a group, and participating and seceding from 
the group which can serve as a device which constitutes the group. 
[0026] 

Moreover, even if the device belongs to one of groups, the possibility of the 

communication link with the device besides a group is also held. 

[0027] 

The group management tool which is the network device which specifically 
communicates with other network devices connected through the network, and 
manages as a group said network device of each other which can be attested, A 
cryptocommunication means to perform cryptocommunication with a common 
encryption key between said network devices which carry out group affiliation, A 



storage means to store cryptocommunication information required in order to perform 
tlie network device and cryptocommunication which belong to said group including 
identification information including the host name and the address of the network 
device which belongs to said group, and the information on said encryption key, and 
an acquisition means to acquire information from the exterior, A preparation and said 
group management tool are in the condition that said cryptocommunication 
information is not stored in said storage means. If said cryptocommunication 
information is acquired in said acquisition means, while storing the 
cryptocommunication information concerned in said storage means the network 
device which belongs own identification information to said group through said 
cryptocommunication means — transmitting — said cryptocommunication means 
minding — from other network devices — being concerned — others, if the 
identification information of a network device is acquired The network device 
characterized by adding the identification information concerned to said 
cryptocommunication information memorized for said storage means is offered. 
[0028] 

Moreover, if the directions which secede from a group in said acquisition means are 
received further, said group management tool While notifying balking of an own 
network device to all the network devices that belong to said group memorized by 
said storage means through said cryptocommunication means said storage means to 
said cryptocommunication information — deleting — said cryptocommunication 
means — minding — from other network devices — being concerned — others, if the 
notice from which a network device secedes is received from said 
cryptocommunication information memorized for said storage means — being 
concerned — others — the network device characterized by what the identification 
information of a network device is deleted for is offered. 

In the network device which constitutes said first group, choose the network device 
which a user can use, and said cryptocommunication means is minded to these 
devices. By distributing the second cryptographic key used by the selected network 
device, the second group is constituted in the first group, by performing 
cryptocommunication using the second common cryptographic key, each other is 
attested and the communication link from which security was secured is performed. 
Moreover, while managing the second cryptographic key, the corresponding user's 
identifier, and the information on a password with a network device and a storage By 
distributing to the network device which enciphers said information by the first 
cryptographic key, and performs other second group communication link In case a 
user uses a network device, in every network device, the access control of the use 
propriety of a group communication link is offered by checking that the information on 
a storage and the information on a network device are in agreement. 
By requesting management to the network device which manages the address and the 
authentication key of a network device with a storage, manages an authentication key 



in a network device, enciphers by tlie first cryptographic key, and performs other 
second group communication link In case a user starts the network device second for 
a group communication link, and a communication link from the network device which 
is not a candidate for a group communication link, with the authentication key of a 
storage Encipher the password and user ID of a storage and the encryption 
information is transmitted to addressing to the address of a storage. After decrypting 
user ID and a password with the authentication key by the network device second for 
a group communication link and checking user ID and a password The 
cryptocommunication in the second cryptographic key is offered by enciphering and 
returning the second common cryptographic key with an authentication key between 
the network devices which are not the candidates for a group communication link. 
[0029] 

[Embodiment of the Invention] 

Hereafter, the gestalt of operation of this invention is explained using drawing. 
[0030] 

The case where this invention is applied to the network constituted by household 
electric appliances etc. in ** is mentioned as an example, and this operation gestalt 

explains it. 
[0031] 

The network in ** of this operation gestalt is constituted by IPv6, the IP address was 
given to each, for example, AV equipments, such as household-electric-appliances 
devices, such as a microwave oven and an air-conditioner, television, and video, a 
sensor, etc. are connected to it. Hereafter, it connects with a network and suppose 
that each device to which the IP address by IPv6 is given is called a node. 
[0032] 

With this operation gestalt, what permitted that a user communicated mutually among 
these nodes is made into a group, and cryptocommunication with an encryption key 
common for authentication between the nodes belonging to a group is performed. 
While the structure of the code and authentication called IPsec is equipped as 
standard and the securable number of IP addresses not only becomes immense [ IPv6 
adopted in this network ] as mentioned above, but it maintains advanced safety here, 
it has the description of being user-friendly. In this operation gestalt, the safe 
communication link only between the devices which constitute a group is realized 
using IPsec of IPv6. 

Before detailed explanation of this operation gestalt, the outline of IPsec is explained 
first. 

IPsec is the technique of offering the security of the encryption base it being able to 
interconnect and quality in IP layer. This security is realized by two traffic security 
protocols, the authentication header AH (Authentication Header) and IP encryption 
payload ESP (Encapsulation Security Payload), etc. 
[0033] 



It is AH's offering the function which prevents the alteration of an IP packet, and 
ESP's enciphering an IP packet, and storing the authentication data, and the 
confidentiality and integrity of an IP packet are guaranteed. 
[0034] 

The device of a communications partner is attested by whether the key which can 
decode the enciphered data with which AH and ESP created and sent authentication 
information and code data using the authentication key and the cryptographic key, 
respectively is held. 
[0035] 

The configuration of the IP packet at the time of using AH protocol and an ESP 
protocol for drawing 4 and drawing 5 , respectively is shown. In addition, these packet 
configurations are specified to RFC 2401-2403 as an IPsec packet. 
[0036] 

Drawing 4 shows the configuration of the IP packet at the time of using AH protocol. 
The IP packet in this case is equipped with the IP header 400, the TCP/UDP header 
402, and the AH header 401 that stores the hash value to data 403. 

[0037] 

The hash value stored in the AH header 401 is for proving that the packet is not 
altered, and the value calculated using the authentication key mutually held between 
communications partners is stored. As compared with the hash value of the data to 
which the receiving side calculated the hash value of the data which calculated this 
with the authentication key which self holds by the transmitting side by it being the 
requisite to hold the authentication key same what are attested, and were stored with 
the authentication key which self holds, when both agree, a partner can check that it 
is what holds the same authentication key. That is, it is proved that it is a device in 
the group in whom the transmitting partner of a packet holds the same encryption key. 
[0038] 

Drawing 5 shows the configuration of the IP packet at the time of using an ESP 
protocol. It is a header configuration at the time of enciphering data as a TCP/UDP 
header. 
[0039] 

The IP packet in this case is equipped with the ESP trailer 504 and the authentication 
data 505 for arranging the break of encryption with the ESP header 501 which shows 
that it is the enciphered packet. The authentication data 505 are an option and store 
the hash value of the ESP header 505, the enciphered TCP/UDP header 502, data 
503, and the ESP trailer 504. 
[0040] 

The hash value stored in the authentication data 505 secures the confidentiality of 
the TCP/UDP header 502 which secures the integrity of IP payload, enciphers and is 
transmitted, and data 503. In case it enciphers, the cryptographic key which a 
transmitting side holds is used. It decodes by the cryptographic key in which, as for a 



receiving side, self holds the data which the transmitting side enciphered using the 
cryptographic key which self holds. In a receiving side, if decode is possible, it can 
check that a partner holds the same cryptographic key. That is, a packet transmitting 
partner becomes the certification of being the device in a group which holds the same 

cryptographic key. 
[0041] 

Moreover, the information which should be shared in order to communicate according 
to the specification of IPsec among each devices, such as a code / authentication 
algorithm, a key, etc. which are used by IPsec, (the thing of the communication link 
performed according to the specification of IPsec is henceforth called an IPsec 
communication link) is managed as a security association (SA). 
[0042] 

SA is a "connection" of an one way who offers security service to the traffic carried 
by it. For this reason, in performing an IPsec communication link, it is necessary to 
set up beforehand for every communication link of an one direction between the 
devices which communicate. That is, in order to communicate both directions, it is 
necessary to set up each SA of a transmit direction and a receive direction. 
[0043] 

In addition, the detail of IPsec is specified to RFC2401 "Security Architecture for the 

Internet Protocol." 

[0044] 

Drawing 1 is drawing showing the configuration of the group communication system 
concerning 1 operation gestalt which applied this invention. 

[0045] 

As shown in this Fig., in this operation gestalt, four nodes 100 (100A, 100B, 100C, 
100D) are connected to the network 1 10 by IPv6. Of course, the number of 
configuration nodes is not restricted to this. 
[0046] 

Actuation from other nodes 1 GO to the service function peculiar to a device with 
which node 100 each is equipped, and service provision to other nodes 100 are 
realized by transmitting and receiving the command of an IP packet format through a 
network 1 1 0 among these nodes 1 00. 

[0047] 

The image which carries out temperature control of an air-conditioner from television, 
or is photoed with the video camera by actuation from television through a network is 
specifically transmitted to video, and making the image photoed with the video camera 
record on videotape by video is realized. 
[0048] 

For example, node 1 0OA - node 1 0OC It is a node belonging to the group who has 
permitted that a user uses service mutually. Node 1 0OD If it is a node besides the 
group, between the nodes 1 0OA and 1 0OB which constitute a group, and 1 0OC In case 



the use demand of a service function is transmitted, the requiring agency node stored 
the hash value calculated with the key (it is henceforth called a group key) shared 
between a group, or sends the enciphered IP packet (101 directions), a requiring 
agency node is a group configuration node by the group key with which self holds the 
demand place node which received the use demand — checking — a service function 
— a requiring agency node — providing (102 directions) — the said IPsec 
communication link is performed. 
[0049] 

On the other hand, when the use demand of a service function transmits the usual IP 
packet to node 100C in order to transmit by the usual IP packet (104 directions), it 
will be judged to be a node outside a group in node 100C, and will receive answerback 
of the packet of service provision refusal from node 100D (103 directions). 
[0050] 

Here, if in the case of the node which has the service in which node 100B permits 
offer to the node 1 00 besides a group offer of the service is specified from node 1 0OD 
and the usual IP packet is transmitted (the direction of 1 04b), the service will be 
offered from node 100B (the direction of 103b). 
[0051] 

The network in which the communication link by the protocol using IPv6 which 
mounts the structure of IPsec as standard as mentioned above is possible is 
mentioned as an example, and this operation gestalt explains it. However, an 
encryption key common between the nodes 1 00 which constitute a group is given, and 
if the environment which can communicate between groups involved by making the 
key into an authentication key or a cryptographic key can be built, a communications 
protocol will not be restricted to this. 
[0052] 

A group is generated, other nodes 100 participate and how to secede from the 
generated group is explained to the generated group in the management method 1 00 
of the group who realizes safe use of predetermined service between the nodes 1 00 
hereafter connected to such a network, i.e., one node. 
[0053] 

With this operation gestalt, two of the empty memory cards A and B are prepared, 
information required in order to perform an IPsec communication link within a group is 
generated in the node 100 which participates in a group first, and it registers with one 
of the memory cards [ them ] A. The node 100 which participates after that is 
acquiring required information from a memory card A, and participates in a group. 
Moreover, in case it secedes from a group, the empty memory card B is used. 
[0054] 

The hardware configuration of a node 1 00 is shown in drawing 2 , and the functional 

configuration is shown in drawing 3 . 

[0055] 



A node 100 is equipped with the system bus 203 which connects these with the 
processor 200 which controls one or more proper function parts 202 with which a 
node 100 is equipped, network card 205, and the proper function part 202 and a 
network card 205, the memory 201 which memorizes the program performed by the 
processor 200, the external storage 204, such as a hard disk which memorizes a 
program and setting information, and the storage interface 206 which offers interfaces, 
such as a memory card for delivering group Information. 
[0056] 

In addition, if the proper function which the proper function part 202 realizes is an 
air-conditioner, they are things, such as the processing section which manages an air 
conditioning function, a temperature function manager, timer ability, etc., for example. 
[0057] 

Moreover, the storage interface 206 possesses LED (light emitting diode) Wright who 

writes in the storage to insert and notifies a user of it being inside. 

[0058] 

Next, the function with which each node 1 00 is equipped is explained according to 
drawing 3 . By these functions, a node 1 00 realizes offer of service through a network 
between the nodes 1 00 which constitute the group whom the user permitted mutual 

use of service. 
[0059] 

Each node 100 is equipped with application 301, the group management processing 
section 302, the TCP/UDP transmitting processing section 303. the IP transmitting 
section 304, the access polish database 308, the SA database 309, the network 
interface reception section 310, the IP receive section 314, the TCP/UDP reception 
section 315, the network interface transmitting processing section 317, and the 
storage interface processing section 318. 
[0060] 

Application 301 offers service peculiar to each node. 
[0061] 

As for the group management processing section 302, a group's generation mentioned 

later, balking, updating, etc. perform management about a group. 

[0062] 

The network interface reception section 310 and the network interface transmitting 
processing section 317 control a network card. 

[0063] 

The storage interface processing section 318 controls the storage interface 206. 
When it detects that record media, such as a memory card, were inserted in the 
record-medium interface 206, the storage interface 318 turns on LED Wright with 
whom the storage interface 206 is equipped, and shows to a user that a memory card 
is under use. Moreover, if the notice of processing termination is received from the 
group management processing section 302, LED Wright with whom the storage 



interface 206 is equipped will be switched off, and it will notify that the writing to 
storages, such as a memory card, was completed, and that the processing in the 

group management processing section 302 was completed to a user. 
[0064] 

In addition, the user who received the notice can take out a memory card from the 

storage interface 206 concerned. 

[0065] 

To the IP packet sent and received, the TCP/UDP transmitting processing section 
303, the IP transmitting section 304, the IP receive section 314, and the TCP/UDP 

reception section 315 process each class, and realize a communication link. 
[0066] 

The IP transmitting section 304 is equipped with the IPv6 transmitting pretreatment 
section 305, the IPsec transmitting processing section 306, and the IPv6 after- 
treatment section 307, and the IP receive section 314 has the IPv6 reception 
pretreatment section 31 1, the IPsec reception section 312, and the IPv6 receiving 
after-treatment section 313. The communication link by IPv6 is realized in the IP 
transmitting section 304 and the IP receive section 314. 
[0067] 

Here, the IPv6 reception pretreatment section 31 1 performs IPv6 reception 
pretreatment called the check of the set point and option header (except for AH and 
ESP) processing of the version which constitutes IP header, payload length, and a hop 
limit. The IPv6 reception pretreatment section 31 1 delivers the IP packet to the IPsec 
processing section 312, when either AH header or the ESP header is added to the 
received IP packet. When neither of the headers is added, it delivers to the receiving 
access-control section 316 which mentions the IP packet later. 
[0068] 

The IPsec processing section 312 judges whether it is what was transmitted from the 
node 100 to which the IP packet which performed processing of AH and ESP among 
the option headers of IP header, and received belongs to a group. 
[0069] 

The IPv6 receiving after-treatment section 313 is Pusedo including a transmitting 
agency IP address and a transmission place IP address, when an IP packet is received. 
Header is created, it replaces with IP header of the received IP packet, and IPv6 
receiving after treatment of delivering to the TCP/UDP reception section 315 is 
performed. Moreover, the IP receive section 314 has the receiving access-control 
section 316 further. 
[0070] 

The receiving access-control section 316 controls reception and access to the 
application of the IP packet concerned for the IP packet which does not have AH 
header or the ESP header from the IPv6 reception pretreatment section 31 1. 
[0071] 



The security association (SA) which needs the SA database 309 at IPsec is stored. 
[0072] 

In order that the access polish database 308 may realize a communication link within 
a group, the information and group information about the access control to each node 
are stored. 
[0073] 

The access polish database 308 is equipped with the group managed table 600, the 
application managed table 700 for an access control, and the group member managed 
table 800. 
[0074] 

In addition, the group managed table 600 is held also on the memory card which is the 

storage connected to a node through the storage interface 206. 

[0075] 

Hereafter, the detail is explained about SA in each database of the group management 
processing section 302 and the access polish database 306, and the SA database 309. 
[0076] 

The functional block diagram of the group management processing section 302 is 

shown in drawing 6 . 

[0077] 

As shown in this Fig., the group management processing section 302 is equipped with 
a control section 3100, the group generation processing section 3200, the group 
participating processing section 3300, the group balking processing section 3400, the 
group information update process section 3500, and the group control IP packet 
reception section 3600. 
[0078] 

The group management processing section 302 starts processing with the directions 
from the storage interface processing section 318 which detected that the user 
inserted the memory card in the storage interface 206. 
[0079] 

A control section 3100 searches the access polish database 308 which receives the 
directions from the storage interface processing section 318, and self holds in the 
inserted memory card, and checks the existence of the group managed table 600. 

[0080] 

The group generation processing section 3200 performs group generation processing 
which newly generates a group, when the group itself does not exist. Group generation 
processing is performed when it is judged that a control section 3100 does not exist 
in a memory card, either, and the group managed table 600 does not exist in the 
access polish database 308, either. 
[0081] 

Information required in order to specifically perform other nodes and 
cryptocommunication belonging to a group, i.e., the item which should be registered 



into the group managed table 600, is generated and chosen, the group managed table 
600 is created, and it is registered into a memory card and the access polish 

database 308. 
[0082] 

The group participating processing section 3300 gives the existing group group 
participating processing in which self is made to participate as a new member. Group 
participating processing is performed when a control section 3100 judges that the 
group managed table 600 does not exist in the access polish database 308 although 
the group managed table 600 exists in a memory card. 
[0083] 

The group participating processing section 3300 transmits information required in 
order to acquire information required for the cryptocommunication stored in the 
inserted memory card and to perform an own node 1 00 and cryptocommunication to 
other nodes 1 00 which already belong to the group. The group managed table 600 to 
which the information on own was added to the group managed table 600 in a memory 
card, and the information on own was specifically added is registered into the access 
polish database 308. 
[0084] 

Moreover, the group member managed table 800 is generated by solving an IP address 
from the host name of the node 100 which was obtained from the group managed 
table 600 and which already belongs to the group. 
[0085] 

Furthermore, the group participating processing section 3300 sets up a security 
association, registers it into the SA database 309, and notifies that self was added to 
the node 100 of the existing member in a group by the IPsec communication link so 
that each node 100 in a group and an IPsec communication link may be attained. 
[0086] 

The group balking processing section 3400 performs group balking processing in which 

it secedes from a group. 

[0087] 

With this operation gestalt, when a user wants the predetermined node 100 to secede 
from a group, suppose that an empty memory card is inserted in the node 100 
concerned. That is, it is carried out when group balking processing is judged that the 
group managed table 600 does not exist in the memory card in which the control 
section 3100 was inserted although the group managed table 600 existed in the own 
access polish database 308. 
[0088] 

It notifies that the own node 100 secedes from group balking processing to other 
nodes 100 belonging to a group, and the data concerning the communication link 
between the groups in the information 308 required in order to perform 
cryptocommunication within groups involved, i.e., an own access polish database, and 



the SA database 309 are deleted. 
[0089] 

Here, in case the group participating processing section 3300 and the group balking 
processing section 3400 notify participation and balking to each node 100 belonging to 
a group, respectively, the IP packet which has the special data division called a group 
control IP packet is used. 
[0090] 

Here, the group control IP packet is explained. An example of the data division 1 000 

of a group control IP packet Is shown In drawing 7 . 

[0091] 

As shown in this Fig., the data division 1000 of a group control IP packet are equipped 
with 16 bytes of IP address storing section 1002 which stores the command identifier 
storing section 1001 which stores a command identifier, and an IP address and a host 
name, respectively, and the host name storing section 1003. 
[0092] 

Here, in case new participation is notified, in the case of the group control IP packet 
transmitted to each node 100 belonging to a group, (00) hex which shows 
"subscription" is set as the command identifier storing section 1001 (this group 
control IP packet is henceforth called a subscription command). And the own address 
and an own host name are set to the IP address storing section 1002 and the host 
name storing section 1003, respectively. 
[0093] 

Moreover, in case it secedes from a group, in the case of the group control IP packet 

transmitted to each node 100 belonging to a group, (01) hex which shows "balking" is 
set as the command identifier storing section 1001 (this group control IP packet is 
henceforth called a balking command). And the own address and an own host name 
are set to the IP address storing section 1 002 and the host name storing section 
1 003, respectively. 
[0094] 

The group information update process section 3500 performs the group information 
update process of updating the contents of the group managed table 600, or copying 
it to a memory card. 
[0095] 

In this operation gestalt, in order to raise security, the group key used within a group 
serves as a setup updated for every predetermined period. When the key expiration 
date of the group managed table 600 carries out the time-out of the group 
information update process section 3500, it generates a new group key. 
[0096] 

Here, a different key expiration date is set as group managed table 600 generate time 
for every node, concrete — a predetermined expiration date, for example, double sign 
30%, — it is set as each node by making into a key expiration date the value acquired 



by adding or subtracting the random value of a between at the key expiration date. 
For this reason, it is generated to the timing from which the time-out of a key 
expiration date differs by each node, the node which updates a key becomes settled 
in one, and it can avoid that a group's member generates a group key to coincidence. 

[0097] 

And it enciphers with the group key before updating the updated group key, and sends 
to each node which belongs to a group from the member which updated the group key. 
At this time, you may reset the key expiration date of each node with renewal of a 
key. 
[0098] 

Moreover, the group information update process section 3500 updates the IP address 
in a related database, when the IP address of each node 100 belonging to a group is 
updated, while updating the information on the group key which self holds, when the 
updated group key is received from other nodes. 
[0099] 

Here, with this operation gestalt, since renewal of a group's key is performed as 
mentioned above, it is not reflected in the group managed table 600 in the memory 
card used for group participating processing. Similarly, balking processing from an 
above-mentioned group is performed using an empty memory card, and the notice to 
other nodes 100 which constitute a group from a node 100 from which it seceded is 
performed by IPsec communication link. For this reason, modification of the group 
configuration member by group balking is not reflected in the group managed table 
600 in the memory card used for group participating processing, either. 
[0100] 

For this reason, with this operation gestalt, the group information update process 
section 3500 also performs an update process of the group managed table 600 in a 
memory card. 
[0101] 

An update process of the group managed table 600 in the memory card which the 
group information update process section 3500 performs is performed when a control 
section 3100 judges that the group managed table 600 exists also in the memory card 
inserted also in the own access polish database 308. 

[0102] 

The group information update process section 3500 copies the information on the 
group managed table 600 stored in the access polish database 308 of the node 1 00 
concerned to the group managed table 600 in a memory card. 
[0103] 

With this operation gestalt, in actual group participating processing, when performing 
group participating processing, a memory card is inserted in the node 1 00 which has 
already belonged to the group, and it is determined that a procedure performs 
beforehand processing which makes the newest thing the group managed table 600 in 



a memory card. 
[0104] 

The group control IP packet reception section 3600 performs processing at tlie time 
of receiving the above-mentioned group control IP packet. 

[0105] 

When a subscription command is received, the IP address and host name which are 
stored in the IP address storing section 1 002 and the host name storing section 1 003 
are added to the own group member managed group managed table 600 and 800, and, 
specifically, a security association required in order to perform the transmitting 
agency node 1 00 and cryptocommunication is created. On the other hand, they are 
deleted when a balking command is received. 
[0106] 

Next, the group managed table 600 and the application managed table 700 
corresponding to an access control which are stored in the access polish database 
308, and the group member managed table 800 are explained below. 
[0107] 

The group managed table 600 is a table which stores the information on the key 
shared between the information and the group for identifying the node 100 belonging 
to a group. The example is shown in drawing 8 . 
[0108] 

As shown in this Fig., the group managed table 600 The group identification descriptor 
storing field 601 which stores the group identification descriptor for identifying the 
group constituted by the node 1 00 connected to the network, The group key storing 
field 602 which stores a group key, and the group key expiration date storing field 603 
which stores the expiration date of the group key, The IPsec classification storing 
field 604 which stores the classification of the function of IPsec used for a 
communication link within groups, such as AH and ESP, It has the algorithm storing 
field 605 which stores the algorithm used for authentication or a code, and the host 
name storing field 606 (606A-606B) which stores the host name which is the 
information which identifies the node 1 00 belonging to a group. 
[0109] 

The application managed table 700 for an access control is a table on which the 
information used for the access control to each application mounted in the node 100 
is stored, when application with the available node 100 besides a group is mounted in 
the node 100. 
[0110] 

In addition, this table is unnecessary when only application which a node 100 offers 

only to access out of a group is mounted. 

[0111] 

An example of the application managed table 700 for an access control is shown in 
drawing 9 . 



[0112] 

As shown in this Fig., the application managed table 700 for an access control is 
equipped with the port number storing field 701 (701 A, 701 B) which stores the port 
number which the application wide opened by the node 100 besides a group uses. 
Each node 100 judges whether the application with which the IP packet concerned is 
going to access with reference to this table at the time of IP packet reception is the 
application wide opened by the node 100 besides a group. 
[0113] 

Next, the group member managed table 800 is explained. In order to perform IP packet 
communication between each node 100 based on IPv6, it is necessary to get to know 
the IP address of each node 100. The IP address of each node 100 belonging to a 
group is ICMP (Internet Control Message Protocol) from the host name of each node 
100 acquired at the time of group participation. Echo By the exchange of a 
Request/Reply packet, it acquires by solving the address. Thus, the group member 
managed table 800 solves and creates an IP address from a host name in each node, 
and correspondence with the host name of each node 100 and IP address belonging 
to a group is stored there. 
[0114] 

An example of the group member managed table 800 is shown in drawing 10 . 
[0115] 

This table is equipped with the host name storing field 801 which stores the host 
name which specifies a node, the IP address storing field 802 which is made to 
correspond with a host name and stores the IP address of each node 1 00, and the 
expiration date storing field 802 which stores the expiration date of an IP address as 

shown in this Fig. 
[0116] 

When a node 100 reboots, the IP address of a node 100 may change. Moreover, if the 
IP address and transmission and reception which are stored in fixed time amount at 
the IP address storing section 802 are not performed, an expiration date may go out. 
[0117] 

When transmitting an IP packet to such a node, the IPv6 transmitting pretreatment 
section 305 of a node 100 is ICMP. Echo By the exchange of a Request/Reply packet, 
the address is again solved from a host name and it notifies to the group management 
processing section 302. In response to it, the group information update process 
section 3500 of the group management processing section 302 updates the security 
association used for the communication link in this table on which the IP address is 
registered, and a group. 
[0118] 

Next, the security association 900 stored in the SA database 309 is explained. When 
managing the information which should be shared in order to perform the 
communication link in accordance with IPsec and communicating [ for example, ] 



between node 100A and node 100B, it is necessary to the communication link of the 
direction of node 100A, and both to set up the security association 900 independently 
from the communication link of the direction of node 1 DOB and node 1 GOB from node 
100A. 
[0119] 

An example of the security association 900 is shown in drawing 1 1 . 
[0120] 

As shown in this Fig., the security association 900 contains the expiration date of 
assignment in a transport mode or tunnel mode, cryptographic algorithm, a 

cryptographic key, an authentication algorithm, an authentication key, and a key etc. 
as authentication or assignment of a code, and code range as SPI (security policy 
identifier) which identifies each security association, a transmitting agency IP address, 
the transmission place address, and a protocol. 
[0121] 

When creating the security association 900 for transmission with this operation 
gestalt in creating the security association 900 in each node 1 00 In a transmitting 
agency IP address, the IP address of the own node 100 for a transmission place IP 
address When setting up the IP address of a communications-partner point node and 
creating the object for reception, the IP address of the communications-partner point 
is set to a transmitting agency IP address, and the IP address of the own node 100 is 
set to a transmission place IP address. 
[0122] 

The group identification descriptor by which the object for transmission and the 
object for reception are stored in the group identification descriptor storing section 
601 of the group managed table 600 is stored in SPI. Moreover, that by which the 
object for transmission and the object for reception are stored in the group managed 
table 600 at the protocol, the authentication key algorithm, the authentication key, 
and the expiration date, respectively is set up. 
[0123] 

In the above, each function of the node 1 00 in this operation gestalt etc. was 

explained. 

[0124] 

Next, between each node 100 in this operation gestalt connected to the network 110, 
a group is generated and the procedure which participates, the procedure of seceding 
from the group who once participated, etc. are explained. 
[0125] 

The case where use a transport mode as the mode and SHA-1 (it specifies as Secure 
Hash Algorithm 1:SHS(Secure Hash Standard) FIPS 180) is used for below for AH as 
an authentication algorithm as a functional classification of IPsec is mentioned as an 
example, and is explained. A setup of an IPsec communication link is not restricted to 
these. 



[0126] 

Moreover, in this operation gestalt, as mentioned above, a group's generation, 
participation, balking, renewal of information, etc. are performed using two memory 
cards of the memory card which stores a group's information, and the empty memory 
card used in case it secedes from a group. 
[0127] 

The group management procedure 3020 which the group management processing 

section 302 performs to drawing 1 2 is shown. 

[0128] 

The group management procedure 3020 is started taking advantage of a user inserting 
a memory card in the record-medium interface 206 of each node 100. 

[0129] 

And when it detects that the memory card was inserted in the record-medium 
interface 206, the storage interface processing section 318 of a node 100 turns on 
LED Wright with whom the storage interface 206 is equipped, and shows to a user 
that a memory card is under use. 

[0130] 

By having switched off LED Wright, a user can know that processing was completed 

and can take out a memory card. 

[0131] 

Moreover, the storage interface processing section 318 notifies having detected the 
memory card to the group management processing section 302. In response to the 
notice, the group management processing section 302 starts the group management 
processing 1 000. 
[0132] 

First, the control section 3100 of the group management processing section 302 
accesses the own access polish database 308 and the memory card by which memory 
card insertion was carried out through the record-medium interface processing 
section 318, and checks the existence of the group managed table 600 (step 3021). 
[0133] 

When there is no group managed table 600 in both, the group itself does not exist, 
namely, it judges that it is necessary to generate a group, and a control section 3100 
makes the group generation processing 3210 perform in the group generation 
processing section 3200 here (step 3022). If the group generation processing 3210 is 
completed, to the storage interface processing section 318, a control section 302 will 
notify write-in termination of a memory card (step 3027), and will finish processing. 
If a control section 3100 judges that self tends to participate in the group who exists 
in a memory card, and makes the group participating processing 3310 perform in the 
group participating processing section 3300 (step 3023) and group participating 
processing is completed when there is nothing in the own access polish database 302 
and it exists in a memory card, it will progress to step 3027. 



[0134] 

When there is nothing to a memory card and it exists in the own access polish 
database 302, if a control section 3100 judges it as what performs group balking 
processing by having inserted the memory card of a null although self already belongs 
to the group, the group balking processing 3410 is made to perform in the group 
balking processing section 3400 (step 3026) and group balking processing is 
completed, it will progress to step 3027. 
[0135] 

When the group managed table 600 exists in both, a control section 3100 first 
compares the group identification descriptor of the group managed table 600 in the 
access polish database 302, and the group managed table 600 in a memory card (step 
3024). 
[0136] 

Here, if both are the same, will judge it as what performs processing which updates 
group information of a memory card, the processing which copies the group managed 
table 600 in the access polish database 302 to the group information update process 
section 3500 as group information update process 3510 at a memory card will be 
made to perform (step 3025) and the processing concerned will be completed, it will 
progress to step 3027. 
[0137] 

In step 3024, when both differ, a control section 3100 judges that the mistaken 

memory card was inserted, and progresses to step 3027 as it is. 

[0138] 

Next, the procedure of the group generation processing 1 200, the group participating 
processing 1 300, the group balking processing 1 600, and the group information update 

process 1500 is explained. 
[0139] 

First, the procedure of the group generation processing 3210 is shown in drawing 1 3 . 
[0140] 

If directions of processing initiation are received from a control section 3100, the 
group generation processing section 3200 will generate a group key (step 321 1), will 
generate the group identification descriptor for identifying a group (step 3212), will 
choose authentication (AH) as authentication and code mode (step 3213), and will 
choose SHA-1 as an algorithm (step 3214). 
[0141] 

And each is stored in the group key storing field 602, the group identification 
descriptor storing field 601, the IPsec classification storing field 604, and the 
algorithm storing field 605, and the group managed table 600 is created (step 3215). 
And the host name of the self^node 100 is registered into the host name storing field 
606 (step 3216). 
[0142] 



Completion of the group managed table 600 notifies that memorized in the access 
polish database 308 of the sell^node 100 (steps 3217 and 3218), and processing was 
completed while the group generation processing section 3200 copied this table to the 
memory card to a control section 3100. 

[0143] 

Next, the procedure of the group participating processing 3310 is shown in drawing 

14. 

[0144] 

If directions of processing initiation are received from a control section 3100, the 
group participating processing section 3300 will add the host name of the self-node 
100 to the host name storing field 606 of the group managed table 600 on a memory 
card (step 331 1), and will memorize the group managed table 600 on a memory card in 
the own access polish database 308 (step 3312). 
[0145] 

Next, notice processing 3710 of a new member which notifies own participation to 
each node 100 which creates the group member managed table 800, and which both 
already belongs to the group is performed (step 3313). 
[0146] 

And the security association 900 used for the IPsec communication link with each 
node 100 is generated using the information on the group managed table 600 recorded 
at the old step, and the information on the group member managed table 800 (step 
3314), and it notifies that processing was completed to a control section 3100. 
[0147] 

Here, the procedure is explained about the notice processing 3710 of a new member. 

The procedure is shown in drawing 1 5 . 

[0148] 

It is ICMP to order for every host stored in the host name field 606 in the group 
managed table 600 in the notice processing 3710 of a new member. Echo Request / 
The IP address which acquired the IP address by Reply (step 3712), and was acquired 
for every host name on the group member managed table 800 is registered (step 
3713). 
[0149] 

A subscription command is generated to the IP address of each node 100 which 
constitutes a group acquired at the above-mentioned step (step 3714), and it is 
transmitted (step 3715). 
[0150] 

And the following host name is read and processing of steps 1 330-1 360 is repeated 
(step 3316). Here, when the read host name is an own host name, nothing is 
processed but the following host name is read (step 371 1). And after finishing the 
above processing to all the nodes except the own node 1 00 stored in the host name 
storing field 606 of the group managed table 600 (step 3717), the notice processing 



1330 of a new member into a group is finished. 
[0151] 

In the above, the group participating processing 3310 was explained. 
[0152] 

Next, the group balking processing 3410 is explained using drawing 1 6 . 
[0153] 

If directions of processing initiation are received from a control section 3100, the 
group balking processing section 3400 will read in order the host name registered into 
the host name storing section 606 of the group managed table 600 in a node 100 
(step 3311). 
[0154] 

Here, when the read host name is in agreement with a self^host name, the following 

host name is read. 

[0155] 

When the read host name is not in agreement with a self-host name, the IP address 
corresponding to the host name read from the group member managed table 800 is 
searched (step 3312). Henceforth, it is called the IP address which searched this IP 
address. 
[0156] 

Next, the balking command made into the IP address which searched the transmission 
place IP address is created (step 3313), and it transmits to the node 100 which has 
the transmission place IP address (step 3314). 
[0157] 

The group balking processing section 3400 deletes the data concerning the searched 
IP address which performed the above actuation from the group member managed 
table 800 which self holds (step 3315). 
[0158] 

Next, a thing with a transmission place IP address equal to the IP address searched 
from the security association 900 memorized by the SA database 309 is extracted, 
and the security association 900 is deleted (step 3316). 
[0159] 

Moreover, the security association 900 with a transmitting agency IP address equal to 

the searched IP address is extracted, and it is deleted (step 3317). 

[0160] 

After the group balking processing section 3400 performs processing of the above 
step 331 1 - step 3317 to all the host names registered into the group managed table 
600 (step 3318), it deletes the group managed table 600 which self holds (step 3319), 
and ends the group balking processing 3310. And processing termination is notified to 
a control section 3100. 
[0161] 

Next, the processing by the side of each node 1 00 at the time of [ which received the 



subscription command and the balking command, respectively ] being transmitted in 
step 3715 of the notice processing 3710 of a new member into the group in the 
above-mentioned group participating processing 3310 and step 3314 of the group 
balking processing 3310 is explained below. 

[0162] 

This processing is performed by the group control IP packet reception section 3600, 
and it is called the group control IP packet reception 3610. The procedure of this 
processing is shown in drawing 1 7 . 
[0163] 

Each node 100 which constitutes a group will be delivered to the group control IP 
packet reception section 3600 of the group management processing section 302 
through the IP receive section 314 and the TCP/UDP reception section 315, if a 
group control IP packet is received in the network interface reception section 310. 
[0164] 

The group control IP packet reception section 3600 which received checks whether 
the command identifier set as the command identifier storing section 1001 is 
subscription (step 3611). 
[0165] 

When it is (00) hex a command identifier indicates subscription to be at step 361 1 (i.e., 
when a subscription command is received), it progresses to step 3612 and the host 
name of the node 1 00 which has transmitted the subscription command set as the 
host name 1 003 of a group control IP packet is registered into the group managed 
table 600 (step 3612). 
[0166] 

And the host name of the node 100 which has transmitted the subscription command 
to the group member managed table 800, and its IP address set as the IP address 
storing section 1002 of a group control IP packet are registered (step 3613). 

[0167] 

Next, the group control IP packet reception section 3600 performs transmission of 
the node 100 direction of own, and processing which creates each security 
association 900 from the node 100 which has transmitted, transmission and the object 
for reception, i.e., the subscription command, of the object for transmission, i.e., node 
100 direction which has transmitted the subscription command from the own node 
100, and which joined newly, and which joined newly (steps 3614 and 3615). 
[0168] 

Next, when it is (01) hex a command identifier indicates balking to be at step 361 1 (i.e., 
when a balking command is received), the group control IP packet reception section 
3600 progresses to step 3616. 
[0169] 

Here, the group control IP packet reception section 3600 extracts a thing with a 
transmission place IP address equal to the IP address stored in IP address 1002 of 



the data division 1 000 of a group balking command whicli received, and deletes the 
extracted security association from the security association 900 memorized by the 

SA database 309 (step 3616). 

Next, a host name equal to the host name which deletes the data which have an IP 
address equal to IP address 1002 of the received balking command from the group 
member managed table 800 (step 3617), and is stored in the host name 1003 of a 
balking command which received is deleted from the group managed table 600 on the 
sell^node 100 (step 3618). 
[0170] 

By performing the above procedure in all the nodes 100 in a group, the security 
association 900 corresponding to the node 100 which all the nodes 100 hold and from 
which it seceded is deleted, and the information on the node 1 00 from which it 
seceded is deleted from the group managed table 600. 

[0171] 

When the node 100 which constitutes a group as mentioned above has modification, 
such as new subscription or balking, in other nodes 1 00 which received the group 
control IP packet transmitted from the node 1 00 concerned, the security association 
and the group managed table 600 which self holds are updated. 
[0172] 

In the above, group control IP packet reception was explained. 
[0173] 

So far, group management processing of a group's generation by the group 
management processing section 302, participation, balking, etc. was explained. 
[0174] 

Next, the procedure of using application mutually is explained below within the group 

generated and managed in the above-mentioned procedure. 
[0175] 

Use of application is performed by sending and receiving an IP packet mutually. First, 

transmission and reception of this IP packet are explained. 

[0176] 

As mentioned above, beforehand, in order to perform an IPsec communication link, 
the required security association 900 of a setup is generated in the group 
management processing 302, in case a new group configuration member is added. 
That is, as long as it belongs to the group, the IPsec communication link is possible. 

[0177] 

In transmitting an IP packet, the IPsec transmitting processing section 306 extracts 
the security association 900 by which the IP address which searches the SA 
database 309 and corresponds is stored in the key as a transmission place IP address 
in the transmission place IP address of IP header to transmit. Based on the 
information registered into the extracted security association 900, IPsec processing is 
performed, IPv6 transmitting after treatment 307 is performed, and an IP packet is 



transmitted to a transmission place node through the network interface transmitting 

processing section. 

[0178] 

Next, the procedure at the time of IP packet reception is explained using drawing 1 8 . 

[0179] 

If an IP packet is received through the network interface reception section 310, the 
IPv6 reception pretreatment section 31 1 will check the existence of AH header in IP 
header which performed IPv6 reception pretreatment (step 4010) and was received 
(step 4020). 
[0180] 

If it judges that the AH header 401 is in received IP header, the IP packet will be 

delivered to the IPsec reception section 312. 

[0181] 

The received IPsec reception section 312 performs IPsec reception 3120 mentioned 
later (step 4030), and delivers an IP packet to the IPv6 receiving after-treatment 
section 313. 
[0182] 

And the IPv6 receiving after-treatment section 313 performs IPv6 receiving after 

treatment 3130 (step 4040), and ends processing. 

[0183] 

In addition, the IPv6 receiving after-treatment section 313 delivers the packet which 
finished the IPv6 receiving after treatment 3130 and which received to the TCP/UDP 
reception section 315 here. The received TCP/UDP reception section 315 performs 

reception of the received packet, and passes it to application 301 as received data. 
[0184] 

When it is judged at step 4020 that there is no above-mentioned header, the IP 

packet is delivered to the receiving access-control section 316. 

[0185] 

The received receiving access-control section 316 confirms whether it is an ICMP 

packet (step 4050). 

[0186] 

At step 4050, if the IP packet which received is judged to be an ICMP packet, it will 
deliver to the IPv6 receiving after-treatment section 313 as it is, will perform IPv6 
receiving after treatment 3130 (step 4040), and will end processing. 

[0187] 

At step 4050, if it is judged that it is not an ICMP packet, the receiving access- 
control section 316 will judge that it is the IP packet outside a group to which the IP 
packet was transmitted from the node 1 00 besides a group, will perform IP packet 
reception 3160 outside a group mentioned later (step 4060), and will end processing. 
[0188] 

Next, the above-mentioned IPsec processing 3120 is explained. 



[0189] 

The IPsec processing section 312 will extract the transmitting agency IP address of 
IP header, a transmission place IP address, and the security association 900 whose 
SPI set as the AH header 401 corresponds from the SA database 309, if the IP 
packet which has AH header is received. 
[0190] 

And the authentication information on the IP packet which received using the 
authentication key memorized by the extracted security association 900 is created, 
and it compares with the authentication information set as the AH header 401 . 
[0191] 

If both are in agreement, it will consider that the IP packet which received is 
transmission from the just node 100 belonging to a group, and will deliver to the IPv6 
receiving after-treatment section 313. and the case of not being in agreement — the 
— IP packet cancellation is carried out. 
[0192] 

The IPsec processing 3120 was explained above. 

[0193] 

Next, the packet reception 3160 outside a group by the receiving access-control 

section 316 is explained. 

[0194] 

As mentioned above, in this operation gestalt, the node 1 00 belonging to a group has 
eliminated that the IP packet concerned reaches application 301 through the IPv6 
receiving after-treatment section 313 and the TCP/UDP reception section 315 in the 
IPv6 reception pretreatment section 31 1, when the IP packet which does not have AH 
header in the IPsec communications processing section 312 when the IP packet 
which has AH header is received from the node 100 besides a group is received. 
[0195] 

However, in this operation gestalt, there are some which have opened use of the 
application to hold wide also to the node 1 00 besides a group depending on the node 
1 00. As mentioned above, the node 1 00 which has such application has managed the 
port number for every application in the application managed table 700 for an access 
control. 
[0196] 

Since the IP packet was not able to be decoded when the IP packet which has AH 
header from the node 100 besides a group is received, it explained previously 
canceling in the IPsec communications processing section 312. 
[0197] 

When the IP packet reception 3160 outside a group receives the usual IP packet from 
the node 100 besides a group, it is processing which sends the IP packet concerned 
to the application wide opened to the node 1 00 besides a group. 
[0198] 



In the IP packet reception 3160 outside a group, wlien tine node 100 whicFi received 
the IP pacl<et does not offer a service function at all to the node 1 00 besides a group, 
the IP packet which stored the access error as data is transmitted to a transmitting 
agency, and the IP packet which received cancels. On the other hand, when offering a 
certain service function to the node 100 besides a group, according to registration of 
the application managed table 700 for an access control, it is controlling to offer 
application. 
[0199] 

Drawing 19 is used for below and the procedure is explained to it. 
[0200] 

The receiving access-control section 316 performs the comparison with the 
transmission place port number read in the IP packet concerned, and the port number 
701 registered into the application managed table 700 for an access control, when the 
IP packet which is not an ICMP packet is received from the IPv6 reception 
pretreatment section 31 1 (step 3161). 
[0201] 

Since the port number of the application with which use is permitted to the node 
besides a group is registered into the application managed table 700 for an access 
control, when both are in agreement, the requiring agency node 100 can be provided 
with a service function. 
[0202] 

In this case, the IP packet which the receiving access-control section 316 received is 
delivered to the IPv6 receiving after-treatment section 313, and the received IPv6 
receiving after-treatment section 313 performs IPv6 receiving after treatment 3130 

(step 3164). 
[0203] 

And the TCP/UDP reception section 315 which received the IP packet processed 
from the IPv6 receiving after-treatment section 313 delivers it to application 301. 
[0204] 

In step 3161, since there is no service function which can be offered when a port 
number is not in agreement, the receiving access-control section 316 generates the 
IP packet which stored the access error as data, transmits to a transmitting agency 
from the IP transmitting section 304 (step 3162), and cancels the IP packet which 
received (step 3163). 
[0205] 

In the above, the IP packet reception outside a group was explained. 
[0206] 

Thus, in this operation gestalt, the access permission of group inside and outside is 
controllable by performing an IPsec communication link and performing the 
communication link by the IP packet usual in the node 100 besides a group for every 
application according to the port number of each application managed on the 



application managed table 700 for an access control between the nodes 100 in a 
group. Thereby, the service function used only into a group in one node 100 and the 
service function which everyone can use are mounted, and the access control 
through which it passes, respectively is made possible. 

[0207] 

According to this operation gestalt, it distributes to each node 100 which permits that 
a user uses mutually information required for the IPsec communication link containing 
the group key created in the node 100 which constitutes a home network through a 
common memory card. 
[0208] 

The distributed node 100 notifies having newly joined to other nodes 100 which belong 
to the group while setting up the security association 900 so that an IPsec 
communication link can be performed with other nodes 100 which belong to the group. 
[0209] 

The node 100 which received the notice sets up the security association 900 so that 
the IPsec communication link with the node 100 which joined newly, respectively can 
be performed. 
[0210] 

As mentioned above, it has realized that the device which constitutes the group 
generates easily the group who can perform a communication link that it can attest 
and safe mutually, without minding any equipments other than the device which 
constitutes a group called the equipment equipped with the authentication server or 
the key management tool when starting a communication link, and manages him with 
this operation gestalt, for example. 
[0211] 

Moreover, it has realized giving giving information required in order to generate and 
manage a group to each node through a storage called a memory card and a group's 
generation, the participation to a group, and directions of balking from a group to each 
node. 
[0212] 

Thus, the environment in which an IPsec communication link is possible can be easily 
built only between the devices which constitute a group, without [ without it prepares 
special devices, such as a server, with this operation gestalt, and ] making prior 
preparations of setting to each device which prepares the IC card equipped with two 
or more master keys etc., and constitutes a group beforehand. 
[0213] 

Moreover, with this operation gestalt, also when application which can use only the 
node in a group for one node, and application which can also use the node besides a 
group are mounted, each access control can be realized easily. 
[0214] 

In addition, although the memory card was mentioned as the example and this 



operation gestalt explained it as a storage used in case the directions at the time of 
group generation, subscription, and balking are performed, the storage to be used is 
not restricted to this. It may be the storage of a portable mold, and as long as each 
node is equipped with the interface, you may be what kind of storage. 
[0215] . . . ^ ^. 

Moreover, although considered as a setup of delivering and receiving information 
required in order to perform an IPsec communication link with a storage, with this 
operation gestalt, it is not restricted to this. For example, each node is equipped with 
an input unit and a user may be made to input. 
[0216] 

Furthermore, although the input of an empty memory card was mentioned as the 
example and explained as a cause which starts the balking processing from a group, it 
is not restricted to this. For example, each node is equipped with a reset button and a 
user may be made to give the directions which start balking processing through the 
reset button. 
[0217] 

Moreover, it has realized notifying termination of group generation and subscription 
processing to a user by having LED. The function for a notice is not restricted to this, 
either. 

[0218] , . 

In addition, this invention is not limited to the above-mentioned operation gestalt, and 
various deformation is possible for it within the limits of the summary. 

[0219] 

For example, with the above-mentioned operation gestalt. although explained taking 
the case of the network in **, this invention is not limited to this. This invention is 
widely applicable to various network systems which need authentication mutually. 
[0220] 

Next, the operation gestalt of the subgroup which restricts the node which can be 
used for user correspondence in a group by Node F from the node A which is a 
candidate for use in the range which the manager of a node recognizes based on the 
operation gestalt mentioned above is explained with reference to drawing 31 from 
drawing 20 . 

[0221] , . , ,, ^ 

Drawing 20 shows the example of 1 configuration of the network in ** which applied 
this invention, the small office network called SOHO, and a local network which makes 
the floor network of office representation. This invention explains hereafter the case 
where this invention is applied in **, as an example. The network in ** consists of 
PCs such as AV equipments, such as household-electric-appliances devices, such as 
two or more nodes 105 (105 A, B) and 106 (106 C-F), for example, a microwave oven, 
and an air-conditioner, television, and video, and a sensor, and each device enables 
transmission and reception of an IP packet by IPv6. This network realizes service 



provision to the actuation from nodes 105 and 106 and tine other nodes 105 and 106 
of the service function with which each is equipped, or the other nodes 105 and 106. 
[0222] 

Moreover, based on an above-mentioned operation gestalt, SA900 which can IPsec 
communicate using the group key 602 common to a group is set as each node, and 
the nodes 105 and 106 of these plurality will be in the condition that the IPsec 
communication link which used said group key 602 for the communication link 
between groups can be performed. Hereafter, this group is called the root group 107. 
Construction of the root group 107 sets up the root group's 107 SA900 for 
transmission and SA900 for reception to all the nodes 105 and 106 in all the nodes 
105 and 106 that constitute the root group 107 on the group managed table 600 on 
the group access database 308, and the SA database 309. In addition, suppose that 
encryption by 3DES is applied with this operation gestalt in the IPsec communication 
link used for the communication link between groups in a root group. 
[0223] 

With this operation gestalt, the user interface function with which a node is equipped 
divides a network device roughly into two. The first node 105 is the interface function 
with which PC is equipped, for example, the display which can display the host name 
list of the nodes which constitute the network in **, and a node equipped with the 
keyboard in which an alphabetic character input is possible. The second node 106 is a 
node equipped with the minimum interface for operating the function with which a 
node is originally equipped. As a device equivalent to the first node 105. PC, television, 
household-electric-appliances control remote control, etc. are assumed, node A105A 
and node B105B are made into the first node 105 by drawing 20 , and node F106F are 
made into the second node from node C106C by drawing 20 as a device equivalent to 
the second network device 106 supposing white home appliances, a sensor, etc. which 
were called the air-conditioner and microwave oven. 
The hardware configuration of the first node 105 is shown in drawing 21 . 
[0224] 

If it is one or more node proper function parts 202 with which a node 105 is equipped, 
for example, an air-conditioner For example, the processing section which manages an 
air conditioning function, a temperature function manager, timer ability, etc.. The 
group access database 308 and the SA database 309 which realize the group 
communication link equipped with the program and user access control which are 
performed by the processor 200 which controls a network card 205, a proper function 
part, and a network card, and the processor The data input interface section 209 
which connects a keyboard with the data output interface section 208 which 
connects the display for the memory 201 to memorize and a user interface, the 
storage interface 206 which offers the interface of memory card 207 grade. And it 
consists of system buses 203 which connect these. Said storage interface 206 
possesses LED (light emitting diode) Wright who notifies a user of under the writing of 



the storage to insert, and shows under writing or processing to a user by light of LED 
Wright. The hardware configuration of the second node 106 does not have the data 
output interface section 208 and the data input interface section 209 which are used 
from the hardware configuration of said first node 105 for a user interface. 

[0225] 

The software configuration of the first node 1 05 is shown in drawing 20 . 
A network is minded. One or more application programs 301 which carry out service 
provision between group configuration equipment, the TCP / UDP transmitting 
processing section 303 which realizes a communication link, the IP transmitting 
section 304, the network interface transmitting processing section 317 which controls 
a network card, In order to realize the SA database 309 and group communication link 
which manage the network interface reception section 310, the IP receive section 311, 
the TCP/UDP reception section 315, and the security association (henceforth, SA) 
900 of IPsec The access polish database 308 which manages the information and 
group information about the access control to the network device to be used, the 
group management processing section 302 which performs group management, the 
storage interface processing section 318 which controls a storage interface, And it 
constitutes from the data output interface section and the user interface processing 
section 151 which controls the data input interface section. The IP transmitting 
section 304 The IPsec transmitting processing section 306 which performs IPsec 
processing when the existence of the IPv6 transmitting pretreatment section 305 
which creates IP header from DDA to Pseudo which the TCP/UDP transmitting 
processing section 303 created, and SA900 is investigated and there is SA900, It 
consists of the IPv6 transmitting after-treatment sections 307 which pass an IP 
packet to the network interface transmitting processing section 317. The IP receive 
section 314 The comparison of IP packet header to the payload length which received 
from the network interface reception section 310, and received-data length, The IPv6 
reception pretreatment 311, AH header which process a header option. The IPsec 
reception section 312 which searches SA900 when there is an ESP header, and 
performs authentication or decode processing, AH header. When there is no ESP 
header, the receiving access-control section 316 which judges whether an IP packet 
is received, and IP header are transposed to a Pseudo header, and it constitutes from 
the IPv6 receiving after-treatment section 313 which passes received data to the 
TCP/UDP transmitting processing section 315. 
[0226] 

The group management processing section 302 carries out carrying out the user- 
access control processing 2100 in_which the access-control setting demand from a 
user is received, and the subgroup management processing 2200 performed in the 
processing to the command reception about the subgroup management from other 
network devices based on the operation gestalt mentioned above in addition to the 
root group generation processing 3200, the participating processing 3300, the balking 



processing 3400, the information update process 3500, and the group-control IP 
packet reception 3600. 

[0227] 

as the group access database 308 — the group managed table 600, the access user 
managed table 2001, and access — an application — the managed table 2003 is 
arranged. 
[0228] 

SA900 of the transmitting agency address prepared as an SA database 309 for every 
transmit direction for realizing an IPsec communication link and receive direction and 
a receiving agency address mapping is arranged. 

It considers as the configuration which removed the user interface control section 
151 used for a user interface, and the user access control section 2100 from the 
software configuration of said first node 105 as a software configuration of the 
second node 106. In addition, the access user managed table 2001 is not arranged on 
the group access database 1 20. 

Subgroup 1 08 configuration which applies this invention to drawing 22 is shown. By a 
diagram, two subgroups 108 are shown. A subgroup 108 carries out grouping of the 
node which can be used for user correspondence, and when realizing service whose 
user used other nodes 105 and 106 from the first node 105, User A can use only the 
nodes 105A, 105B, and 106C which constitute subgroup a108A, and it can use only 
the nodes 105A, 106D, and 106E from which User B constitutes subgroup b108B. 
User B cannot use the service which accesses node C106C from node A105A. 
[0229] 

In a home network, if father's subgroup is constituted from PC, television, an air- 
conditioner, and video by setting up a subgroup 108 on the root group 107, a 
temperature setup of an air-conditioner and a reservation setup of video can be 
performed from PC and television. On the other hand, although a son can do a video 
reservation setup from television by constituting television and video as a son's 
subgroup, control that a temperature setup of an air-conditioner cannot be performed 
is attained. 
[0230] 

Hereafter, the construction approach of this subgroup 1 08 and operations sequence 

are explained using drawing 31 from drawing 23 . 

Drawing 23 shows three phases at the time of the network connection in one nodes 
105 and 106. The first phase is the group-less phase 2301 which is in the condition 
which connected nodes 105 and 106 with the network. It sets group-less phase 2301 
and the root group phase 2302 which is the second phase comes based on said 
operation gestalt by subscription in root group 107 generation and the root group 107 
of a node 105,106. Suppose that cryptocommunication by 3DES using the common 
group key 602 is performed within the root group 1 07 in this second phase in the 
node 105 in the root group 107, and the communication link between 106. In the root 



group 107, the subgroup phase 2303 which is the third phase comes by a user's 
access privilege and node selection which can be used. In the third phase, 
cryptocommunication of 3DES using the common group key 602 is performed within a 
subgroup 108 in the node 105 in a subgroup 108, and the communication link between 
106. 

Drawing 24 is drawing showing the procedure of the user access control processing 
2100 in which user access control in the group management processing section 302 is 
performed. In order to receive the demand from a user, the user access control 
processing 2100 is started in the first node 105. When a user may start this 
processing and it participates in the root group 107, it may start this processing and 
may be operated as a resident program of a node 105. The user access control 
processing 2100 can be started at root group phase 2302 or subgroup phase 2303:00 
(step 2101). 

I display "a right setup of user access", "right disconnection of user access", and 
"service use" on a display (step 2102), and have what is used for a user chosen, and 
right setting processing (21 10) of user access, right release processing (2130) of user 
access, and subgroup access privilege check processing (2150) are performed by 
selection. 

Drawing 25 shows the procedure of the right setting processing 21 10 of user access. 
The host name registered into the group managed table 600 to the root group 107 
who has managed in the group access database 308 as the 1st step is displayed on a 
display (step 21 1 1). The group managed table to the root group 107 presupposes that 
the root is set as the area of classification 607. 

Two or more host names to register as the 2nd step as a subgroup 108 which the 
user inputted are received, on the group access database 308, the new group 
managed table 600 is allocated, classification 607 is made into a factice, and a host 
name is registered (step 21 12). 

As the 3rd step, the group identification descriptor 601 of other group managed tables 
600 and the conflicting group identification descriptor 601 are chosen, and a group 
identification descriptor 501 is set as the new group managed table 600 (step 21 13). 
As the 4th step, the common group key 602 for codes is generated by the subgroup 
108, it is set as the new group managed table 600, and a key shelf-life and 3DES are 
set up as cryptographic algorithm (step 2114). 

As the 5th step, to all the network devices 105B and 106C that constitute a subgroup 
108, the subgroup creation demand frame 2601 is created and it transmits (step 21 15). 
[0231] 

It constitutes from the command identifier which shows a subgroup creation demand 
for a transmitting frame structure as shown in drawing 26 , the group identification 
descriptor 601 of a subgroup, a host name list of all the nodes that constitute a group, 
a group key 602 of a subgroup, and its expiration date. It is transmitted as UDP 
datagram through the TCP/UDP transmitting processing section 303, and in the IP 



transmitting section 304, it is enciphered witli the root group's 107 group key, and this 
frame 2601 is transmitted. Transmission to each network device is checked by the 
check frame 2602 returned from each node. As shown in drawing 26 , the check frame 
2602 consists of the command identifiers and group identification descriptors 601 
which show the confirmation of receipt. When the fixed time amount and check frame 
2602 cannot be received, the subgroup creation demand frame 2602 may be resent. In 
case the subgroup creation demand frame 2601 is transmitted, the resolver demand 
containing the host name which obtains an IP address from the host name of nodes 
105 and 106 is told to the IP transmitting section 310. The resolver table constituted 
from a host name with which IP transmitting section was equipped 310, an IP address, 
and a timer which manages table registration time amount is searched, the IP address 
which is in agreement with a host name is searched, and it considers as the returned 
value over a demand. It is ICMP when there is no host name which corresponds in a 
table. Echo While solving the address from a host name and registering the group of a 
host name and an IP address into a resolver table from Rquest/Reply, it considers as 
the returned value over a demand. 
[0232] 

As the 6th step, SA900 and SA900 for reception for transmission to all the network 
devices that constitute a subgroup 108 are created (step 21 16). 
The configuration of SA900A Is shown in drawing 27 . 
[0233] 

As SA900A for transmission, a group identification descriptor 601 is set up as an SPI, 
the address of a self-network device is set up as a transmitting agency IP address, a 
subgroup is constituted as a transmission place IP address, and also the IP address of 
a network device is set up. this operation gestalt — setting up ESP as a protocol, the 
mode sets up transport, and cryptographic algorithm sets up the group key 601 of a 
subgroup as 3DES and a cryptographic key. As SA900A for reception, it is the same 
configuration as SA900 for transmission except setting up the IP address of another 
network device as a transmitting agency IP address, and setting up the address of a 
self-network device as a transmission place IP address. 
[0234] 

As the 7th step, the access user ID and the password by the user are received 
through the data input interface section 209 and the data output interface section 
208 (step 2117). 
[0235] 

The authentication key 2002 is generated as the 8th step (step 21 18). 
[0236] 

The global IP address of user ID, a password, the authentication key 2002, and a self- 
network device and the group identification descriptor 601 of a subgroup are written 
in on the memory card [ finishing / a format of the empty which the user inserted / 
as the 9th step ] 207 (step 21 19). 



[0237] 

As the 10th step, the group identification descriptor of the authentication key 2002, 
user ID, and a subgroup is set as the access user managed table 2001 of the group 
access database 308 (step 2120). 

[0238] 

As the 1 1th step which is the last of the right setting processing 21 10 of user access, 
to all the nodes that constitute a subgroup 1 08, the subgroup access privilege setting 
frame 2603 is created, and it transmits (step 2121). 
[0239] 

A transmitting frame structure is constituted from the command identifier which 
shows a subgroup access privilege setup as shown in drawing 26 , the group 
identification descriptor 601 of a subgroup, user ID, an authentication key 2002, and a 
password, and the same procedure as the subgroup setting demand frame 701 
mentioned above performs transmission and a transmitting check. 
[0240] 

Next, the procedure performed by the subgroup management processing 2200 in the 
group management processing section 302 in the nodes 105 and 106 which constitute 
108 in the subgroup which received the subgroup setting demand frame 2601 and the 
subgroup access privilege setting frame 2603 is shown in drawing 28 . 
[0241] 

The subgroup setting processing 2200 can be started at root group phase 2301 or 
subgroup phase 2303:00 (step 2201). 

When the subgroup setting demand frame 2601 is received, the group managed table 
600 is allocated and the information which a frame has is set up. Next, SA900 for 
transmission and SA900 for reception are created as the right setting processing 
21 10 of user access showed (step 2202). 
[0242] 

When the subgroup access privilege setting frame 2603 is received and a self-node is 
the first node 105, the access user managed table 2001 of the group access database 
308 is allocated, and the group identification descriptor which is the information which 
a frame has, user ID, an authentication key, and a password are set up (step 2203). 
The confirmation-oFreceipt frame 2602 shown in drawing 26 is returned as the 
confirmation of receipt of the subgroup setting demand frame 2601 and the subgroup 
access privilege setting frame 2603 (step 2203). 
[0243] 

Construction of a subgroup is completed by the above. 
[0244] 

Next, the procedure of the subgroup access privilege disconnection processing 2150 
is shown. 

When a manager or a user chooses subgroup access privilege disconnection, it 
transmits to all the network devices that carry out the subgroup configuration of the 



subgroup release request frame 2604 which is shown in drawing 26 , and which is 
constituted from a command identifier which shows a subgroup release request, and a 
group identification descriptor 601 of a subgroup. Then, the group managed table 600, 
access, and a security association with the group identification descriptor 601 of the 
subgroup specified by the manager are released, and the correspondence column of 
the corresponding access user managed table 2001 is deleted. 
[0245] 

In the subgroup management processing 2200 in the group management processing 
section 302 which received this frame, as shown in drawing 28 , the group managed 
table 600 and SA900 with the subgroup identifier 601 directed by the received frame 
are deleted (step 2205), and when a self-node is the first node 105, the 
correspondence column of an access user managed table is deleted (step 2206). 
[0246] 

The created subgroup is releasable with the above procedure. 

Hereafter, the communication procedure in a subgroup 108 is explained using drawing 

31 from drawing 29 . 

[0247] 

A procedure in case a user uses a subgroup 108 is shown. 

From the user access control processing 2100, a user chooses "service use" from "a 
right setup of user access", "right disconnection of user access", and "service use 
which were displayed on the display (step 2102). 
[0248] 

When two or more services can be offered, one service may be made to choose at 
the time of this selection. The above-mentioned selection performs subgroup access 
privilege check processing 2150. 

In drawing 29 , the procedure of the subgroup access privilege check processing 2150 
is shown. As the 1 st step, insertion of the memory card 207 which memorized user ID, 
the password, and the authentication key is directed to a user (step 2151). 
[0249] 

A user receives insertion of a memory card 207, the access user managed table 2001 
on the user ID on a memory card 207 and the corresponding group access database 
308 is searched as the 2nd step, and it checks that the password which the memory 
card on a memory card has memorized, and the password of the access user 
managed table 2001 are in agreement (step 2152). 
[0250] 

When there is no access user managed table 121 whose user ID corresponds, or when 
a password is an inequality, an authentication error is displayed on a display and 
processing is ended (step 2153). 
[0251] 

As the 3rd step, the application corresponding to service specified by a user is 
started, and application receives the transmit-port number assigned to the socket 



used for data transmission and reception (step 2154). 

An assignment beam transmit-port number is set as a socket in the port number area 
608 of the group managed table 600 which is in agreement with the group 
identification descriptor 601 on a memory card (step 2155). 

[0252] 

As the 4th step, a node starts the user access condition process 2300, and ends 
subgroup access privilege check processing (step 2156). 

With this operation gestalt, in an application program 301, in order to perform data 
transfer, while you open a socket as initial processing, since it is assigned from the 
socket processing section, suppose that a transmitting agency port number can be 
notified to the subgroup access privilege check processing 2150. 

[0253] 

The procedure of the user access condition process 2300 is shown in drawing 30 . 
In the user access condition process 2300, in order to detect that the user removed 
the memory card 207 and to end the access privilege of a subgroup 1 08, the 
transmitting agency port number set as the group managed table 600 in the group 
access privilege check processing 2150 is deleted (step 2301). 
[0254] 

It is possible for this to stop the subgroup 301 use by the user. 

Next, the IP packet transceiver procedure in the subgroup by the application specified 

by a user is shown. 

[0255] 

Drawing 31 shows the procedure of the IPsec transmitting processing section 306. 
As the 1 st step, SA whose transmitting agency IP address and transmission place 
address of a transmitting packet correspond is searched from SA database (step 

4101). 

As the 2nd step, if the user access condition process 2300 is not starting [ be / it ], 
the classification of SA900 will search what is the root (step 4102). It judges whether 
you are the root group 1 07 by the classification 607 of the group managed table 600 
with the group identification descriptor 601 of SA900 the transmitting agency IP 
address and whose receiving agency IP address corresponded. 
[0256] 

Using the group key 602 which the SA900 has managed, an IP packet is enciphered 
and IPsec transmitting processing is performed (step 4103). 
If the user access condition process 1 100 is starting, as the 3rd step, that whose 
classification of SAGOO is a factice is searched (step 4104), it investigates whether 
the port number of the group managed table 122 corresponding to SPI of searched 
SA900 and the transmitting agency port number of the transmitting packet TCP or an 
UDP header are in agreement (step 4105), and when in agreement, IPsec transmitting 
processing 41 03 will be performed using the SA900. 
[0257] 



Processing is ended when there is no SA in agreement. In this case, since an IP 
packet is transmitted without performing IPsec processing, it is canceled by the 
access control of a receiving side as except the communication link of a root group or 
a subgroup with the procedure shown below. 

Next, the IPsec reception procedure at the time of receiving the IP packet which 
transmitted in the procedure shown in drawing 31 is shown. In the IPv6 reception 
pretreatment section 311 of the IP receive section 314, when AH header or an ESP 
header is in a receive packet, the IPsec reception section 312 is started. 
[0258] 

SA which is in agreement with SPI contained in AH header or an ESP header is 
searched with the IPsec reception section 312 from SA database. The cryptographic 
key contained in searched SA database performs decode processing. 
[0259] 

When there is not AH header or an ESP header, the port number and the transmission 
place port number of a receive packet which are registered into the application 
managed table 700 for an access control even if the IPsec communication link is not 
performed by the receiving access-control section 316 are compared, and when in 
agreement, a packet is handed over to the TCP/UDP reception section 315 which 
hits the high order processing section. If the other IP packets are not control packets, 
such as an ICMP packet, they will cancel a receiving IP packet as a packet of the 
outside a root group or for a subgroup. 
[0260] 

Although the classification of the group managed table 600 is a factice, and SA900 is 
specified in the IPsec transmitting processing shown in drawing 31 at the time of 
SA900 retrieval corresponding to a transmitting packet when the port number of the 
transmitting agency port number of a transmitting packet corresponds The active 
area which memorizes a subgroup identifier is prepared in the group access database 
308. Instead of memorizing the transmitting agency port number obtained on the 
corresponding group managed table 600 in drawing 29 at the time of application 
starting (steps 2154 and 2156) When the group identification descriptor 601 
memorized by the memory card 207 is set as said active area and the group 
identification descriptor 601 of said active area and SPI of SA900 are in agreement in 
the IPsec transmitting processing 132, it is also possible to specify SA90Q. 
[0261] 

In this case, what is necessary is to manage only a group identification descriptor 601 
in said active area, even when carrying out simultaneous operation of two or more 
application programs 301 . 
[0262] 

On the other hand, when managing a port number on the group managed table 600, 
two or more port numbers corresponding to an application program 301 are required. 
[0263] 



Thus, it sets in the root group 107 who consists of nodes which perform an IPsec 
communication link by two or more nodes 105 and 106 equipped with the common key. 
The subgroup 108 constituted from two or more nodes 105 and 106 controlled from 
the first node 105 equipped with the user interface is constituted. So that the second 
common cryptographic key can realize an IPsec communication link within the 
subgroup 108 In the first node 105, other firsts and the second node 105 and 106 are 
received in the user access information memorized to the common cryptographic key 
and storage 207 of a subgroup at the time of a subgroup setup. It transmits using the 
root group's 107 cryptocommunication, and a subgroup 108 is built. 
[0264] 

In the nodes 105 and 106 which constitute a subgroup 107 by this When SA900 which 
set up the group key of a subgroup 108 is set up and a user uses from the first node 
105, Put a storage 207 into a node 105 and a user's authentication and the subgroup 
108 to be used are identified. In case it has a means to memorize the port number 
608 of the application 301 to be used in a node 105 and transmits from a node When 
the transmitting agency port number which constitutes UDP or the TCP header of 
said port number and transmitting packet at the time of SA900 retrieval is in 
agreement in IPsec transmitting processing, by transmitting using the SA900 The 
communication link only in a subgroup 108 and the user access control to a group are 
realizable. 
[0265] 

Next, the procedure in which the user who had the access privilege to the subgroup 
from an external network using drawing 36 from drawing 32 realizes access to a 
subgroup is shown. 

Drawing 32 is drawing showing an example of the system configuration of this 

operation gestalt. 

[0266] 

Constituting from a host 4201 linked to the network in ** and an external network, 
and an external network, and nodes 105A, 106B, 106C, and 106D which constitute the 
network in **, these nodes 105 and 106 constitute the root group 107. With this 
configuration, node A105A considers as the first node equipped with the user 
interface, and presupposes that the subgroup 108 constituted from node A105A, node 
B106B, and node C106C is built according to the procedure of the operation gestalt 
mentioned above. 
[0267] 

A user with the access privilege to a subgroup 108 has the memory card 207 which 
stores user ID, the password, the authentication key, etc., and shows the procedure 
which accesses a subgroup 108 from a host 3201. 
[0268] 

It carries out [ having mounted beforehand software which performs subgroup access 
client processing 4301 for realizing the access control to a subgroup on the host 4201. 



and ], and suppose that it is started by tlie user. 
[0269] 

The procedure of the subgroup client processing 4301 is shown in drawing 33 . 

As the 1st step, 207 insertion directions of said memory card and the input of user ID 

and a password are directed by display display to a user (step 4302). 
[0270] 

In response to insertion of a memory card 207, and the input of the user ID from a 
user, and a password, it checks that the user ID. password, and input value on a 
memory card 207 are in agreement as the 2nd step (step 4303). 
When not in agreement, a user authentication error is displayed and processing is 
ended (step 4304). 

[0271] . , 

When in agreement, the IP address memorized to the memory card 207 is transmitted 
as the transmission place address as UDP or a TCP packet as an authentication 
information frame 4401 which shows the authentication information which calculated 
user ID and a password with the authentication key 2002 to drawing 34 as the 3rd 
step (step 4305, step 4306). 
[0272] 

Suppose that 3DES of the cryptographic algorithm which is a common key encryption 
system is used about said operation. 

[0273] . . 

It waits for reception of the authentication acceptance frame 4402 shown in drawing 
34 returned by node A105A to the authentication information frame 4401 as the 4th 
step (step 4307). 
[0274] 

If the State is O.K. as the 5th step when a frame is received, the authentication group 
key information which a frame has will be decrypted with the authentication key 126 
on a memory card, and the group key 124 of a subgroup will come to hand (step 4308). 
If the State is NG, a user authentication error will be displayed on a display and 
processing will be ended (step 4304). 
[0275] 

SA900 for transmission and SAGOO for reception which set up the group key 124 of 
the subgroup 301 which made the IP address on a memory card 207 the transmitting 
agency / transmission place as the 6th step are created (step 4310). 

[0276] 

Since it is sharable with the host 4201 who connected the group key 601 of the 
subgroup 108 of the network in ** to the external network with the above, in the 
communication link with node A105A which constitutes a subgroup 108, the 
cryptocommunication using the group key 601 of a subgroup becomes possible. 

[0277] , . 

In this client processing, the access privilege release frame 3403 shown m drawing 34 



to node A105A as the 7th step is sent to node A105A noting that the access privilege 
to a subgroup 108 is lost, when a memory card 207 breaks away (step 4311). 
[0278] 

About the packet sent from a host 4201, the confirmation of receipt of a frame may 
be performed using the confirmation-ol^receipt frame 4404 shown in drawing 34 . 
As the 8th step, SA900 created at the 6th step is released (step 4312). 
[0279] 

The processing configuration of the group management processing section 302 in first 
node 105A which receives access from an external network is shown in drawing 35 . 
[0280] 

The group management processing section 302 consists of application proxies 2400 
for starting the application program for using the network device which constitutes 
the subgroup from the remote access control processing 2500 for receiving access 
from an external network, and an external network in addition to the subgroup 
management processing 2200 and the user access control processing 2100. 
[0281] 

The procedure in the remote access control processing 2500 is shown in drawing 36 . 
The remote access control processing 2500 is started when the frame from the host 
4201 of an external network is received. 
[0282] 

Subnet PURIFIKUSU of a transmitting agency IP address can judge that it is a frame 
from the host 4201 of an external network from differing from subnet PURIFIKUSU 
assigned to the network in **. 
[0283] 

In the group communication link, when [ in IPsec ] an encryption communication link 
has not been carried out, in order to avoid that an IP packet is canceled in the 
receiving access-control section 316 since it is by the communication link from the 
network device besides a group, the port number of the remote access control 
processing 2300 is beforehand registered into the application managed table 700 for 
an access control. This registers the port number assigned by the initialization 
processing at the time of starting the group management processing section 302, or 
the fixed port number. 
[0284] 

In the case of the authentication information frame 4401 shown in drawing 34 , a 
receiving frame decodes frame 4401 authentication information with the 
authentication key 2002 which is in agreement with the group identification descriptor 
601 of the subgroup of the authentication information frame 4401, and picks out user 
ID and a password from an access user managed table (step 2501). 
[0285] 

It checks that it is in agreement with the value which the access user managed table 
2001 whose user ID and password of this correspond with the subgroup identifier 601 



has (step 2502). 
[0286] 

If not in agreement, a packet is canceled, the authentication acceptance frame 4402 
shown in drawing 34 which set the State to NG is returned, and processing is ended 

(step 2503). 

When in agreement, a host 4201 is returned as an authentication acceptance frame 
4402 which indicates the State to be the group key information which enciphered the 
group key 602 of the corresponding group managed table 600 of a subgroup 108 with 
the authentication key 2002 to drawing 34 set to O.K. (step 2504). 

[0287] 

SA900 which set up the group key 602 of the subgroup 108 which made a host's 4201 

IP address the transmitting agency / transmission place is created (step 2505). 

In order to enable it to use the application which node A105A offers by the host 4201, 

the application proxy processing 2400 is started (step 2506). 

[0288] 

When the access privilege release command 4403 is received from a host 4201, the 
check frame 4404 shown in drawing 34 is returned to a host 4201 (step 2507), SA900 
between node 105A is released with a host 4201 (step 2508), the port number of the 
corresponding group managed table 600 is deleted (step 2509), and the application 
proxy processing 2400 is ended (step 2510). 
[0289] 

Furthermore, the group key 602 of the subgroup 108 accessed by the host 4201 is 

updated (step 2511). 

[0290] 

Thereby, a subgroup cannot be accessed though the key information on subgroup 

access remains in the host 4201. 
[0291] 

The procedure of the application proxy processing 2400 is shown in drawing 37 . 
[0292] 

It is operating as a Web server and suppose that application proxy processing 2400 is 
communicated with the HTTP base between the host 4301 linked to an external 
network, and node A105A. First, a subgroup 301 is constituted as application proxy 

processing 114. 
[0293] 

Next, the service application information which can be used is notified to a user as 

the 1st step (step 2401). 

[0294] 

As the 2nd step, assignment of the service application used from a user is received, 
and the corresponding application program 301 is started in node A105A, and it is 
based on the operation gestalt which mentioned the transmitting agency port number 
above, and receives (step 2402). 



[0295] 

It is the HTTP base between the 1st host 4301 in a step and the 2nd step and node 

A105A. 
[0296] 

It registers with the group managed table 600 with the group identification descriptor 
601 which corresponds the transmitting agency port number which came to hand as 
the 3rd step (step 2403). 

The application program 301 of node A105A is operated through the application proxy 
processing 2400 from a host 4301 (step 2404). By the application proxy, a node is 
substituted for the communication to application and, specifically, it is performed. The 
demand to other nodes 106B and 106C which constitute a subgroup 108 from an 
application program 301 of node A105A performs the access control of a subgroup 
communication link according to the IPsec transmitting procedure of drawing 31 which 
is the operation gestalt mentioned above. 
[0297] 

In the right decision processing 21 10 of user access of drawing 25 moreover, as 
storage information on a memory card 207 Make a memory card 207 memorize the 
address and the host name of nodes 105 and 106 which constitute a subgroup 108, 
and it sets to the second node 106. The group access database 305 is made to 
create the access user managed table 2001 at the time of subgroup bitter taste 
access privilege decision frame 2603 reception. In the group management processing 
section 302 shown in drawing 35 , like the first node 1 05 and by performing the 
remote access control processing 2500 and application proxy processing 2400 In a 
host 4301, when a user chooses the host name memorized by the memory card 207, 
it becomes possible to carry out direct access to ail the nodes 105A, 106B, and 106C 
that constitute a subgroup 1 08. 
[0298] 

It can participate in the group communication link of the network in **, without 
arranging a special authentication server by distributing the common key of a 
subgroup to a host, while such procedure realizes user access authentication 
between the host located in an external network, and the node which built the 

subgroup. 
[0299] 

According to this operation gestalt, a user's second original group communication link 
is realizable by choosing the network device which a user can use, and enciphering 
and distributing the second common cryptographic key used by the selected network 
device by the aforementioned cryptographic key (the first cryptographic key) from the 
network device which performs said group communication link. 
Moreover, while managing the second cryptographic key, the corresponding user's 
identifier, and the information on a password with a network device and a storage By 
distributing to the network device which manages the identifier of the second 



cryptographic key with a storage, manages said identifier by the second cryptographic 
key and the pair by the network device, enciphers said information by the first 
cryptographic key, and performs other second group communication link In case a 
user uses a network device, it sets to any network device. In case it checks that the 
information on a storage and the information on a network device are in agreement 
and a user communicates, the use propriety of the user to a group communication link 
can be controlled by carrying out the group communication link by 
cryptocommunication by the second common cryptographic key which becomes the 
identifier of a storage, and a pair. 
[0300] 

Moreover, the transmitting agency port number which memorized the transmitting 
agency port number of the application which a user uses, and was remembered to be 
the transmitting agency port number of a packet at the time of packet transmission is 
compared, and only when in agreement, the use propriety to the group communication 
link by canceling, if it is not the enciphered packet can be controlled by the receiving 
side by performing cryptocommunication by the second common cryptographic key. 
[0301] 

Furthermore, with this operation gestalt, the address and the authentication key of a 
network device are managed with a storage. By requesting management to the 
network device which manages an authentication key in a network device, enciphers 
by the first cryptographic key, and performs other second group communication link In 
case a user starts the network device second for a group communication link, and a 
communication link from the network device which is not a candidate for a group 
communication link, with the authentication key of a storage Encipher the password 
and user ID of a storage and the encryption information is transmitted to addressing 
to the address of a storage. After decrypting user ID and a password with the 
authentication key by the network device second for a group communication link and 
checking user ID and a password The cryptocommunication in the second 
cryptographic key is realizable by enciphering and returning the second common 
cryptographic key with an authentication key between the network devices which are 
not the candidates for a group communication link. 
[0302] 

[Effect of the Invention] 

In this operation gestalt, even if it does not hold the equipment specially equipped 
with the authentication server or the key management tool, between the devices 
which constitute a group, it attests that it is group configuration equipment mutually, 
and the group who realizes a safe communication link can be generated easily, and 
can be managed. 
[0303] 

Moreover, when a device has the application with which only the device in a group is 
provided, and the application with which the device besides a group is provided, the 



access control can be performed with an easy configuration. 
[Brief Description of the Drawings] 

[Drawing 1] It is drawing showing the system configuration of the operation gestalt 
which applied this invention. 

[Drawing 2] It is drawing showing the hardware configuration of the node in this 
operation gestalt. 

[Drawing 3] It is drawing showing the software configuration in the node in this 
operation gestalt. 

[Drawing 4] It is drawing showing the configuration of the IP packet with AH header 
used for a group communication link. 

[Drawing 5] It is drawing showing the configuration of the IP packet with an ESP 
header used for a group communication link. 

[Drawing 6] It is drawing showing the functional configuration of the group 
management processing section which can set this operation gestalt. 
[Drawing 7] It is drawing showing an example of the configuration of the data division 
of the group control IP packet in this operation gestalt. 

[Drawing 8] It is drawing showing an example of the configuration of a group managed 
table. 

[Drawing 9] It is drawing showing an example of the configuration of the application 
managed table for an access control. 

[Drawing 10] It is drawing showing an example of the configuration of a group member 
managed table. 

[Drawing 11] It is drawing showing an example of the information configuration set up 

as a security association. 

[Drawing 12] It is drawing showing the procedure of group management processing. 
[Drawing 13] It is drawing showing the procedure of group generation processing. 
[Drawing 14] It is drawing showing the procedure of group participating processing. 
[Drawing 15] It is drawing showing the procedure of the notice processing of a new 
member into a group. 

[Drawing 1 6] It is drawing showing the procedure of group balking processing. 
[Drawing 1 7] It is drawing showing the procedure of group control IP packet reception. 
[Drawing 1 8] It is drawing showing the procedure of IP receive section at the time of 

IP packet reception. 

[Drawing 1 9] It is drawing showing the procedure of the receiving access-control 
section at the time of IP packet reception. 

[Drawing 20] It is drawing showing the network system constituted from a software 
configuration of a network device, and a network device. 
[Drawing 21] It is drawing showing a hardware configuration and the storage 
information on a storage. 

[Drawing 22] It is drawing showing the range of the first group communication link and 
the second group communication link. 



[Drawing 23] It is drawing showing the connection phase of the network device which 
performs a group communication link. 

[Drawing 24] It Is drawing showing the procedure which performs user access control 
In the group management processing section. 

[Drawing 25] It Is drawing showing **** for the procedure of the right setting 
processing of user access. 

[Drawing 26] It Is drawing showing the frame structure exchanged between the 
network devices which perform other group communication links by processing of the 
right setting processing of user access. 

[Drawing 27] It is drawing showing the example of 1 configuration of SA. 

[Drawing 28] It is drawing showing the subgroup management procedure in the group 

management processing section. 

[Drawing 29] It is drawing showing the procedure of subgroup access privilege check 
processing. 

[Drawing 30] It is drawing showing the procedure of a user access condition process. 
[Drawing 31] It is drawing showing the procedure of the IPsec transmitting processing 
section. 

[Drawing 32] It Is drawing showing an example of the system configuration which 
applies this invention. 

[Drawing 33] It is drawing showing the procedure of subgroup access client 
processing. 

[Drawing 34] It is drawing showing the frame structure exchanged with a host 
between nodes. 

[Drawing 35] It is drawing showing the processing configuration of the group 
management processing section In the first node. 

[Drawing 36] It is drawing showing the procedure in remote access control processing. 
[Drawing 37] It Is drawing showing the procedure in application proxy processing. 
[Description of Notations] 

100, 105, 106 — A node, 107 -- A root group, 108 — Subgroup, 207 — A memory 
card, 301 — Application, 302 — Group management processing section, 308 — An 
access polish database, 309 — SA database, 314 — IP receive section, 304 — IP 
transmitting section, 312 — IPsec reception section, 316 — The receiving access- 
control section, 600 — A group managed table, 700 — The application managed table 
for an access control, 800 -- A group member managed table, 900 — Security 
association, 2001 — An access user managed table, 2002 — An authentication key, 
2100 -- User access control processing, 2150 — Subgroup access privilege check 
processing, 2200 — Subgroup management processing, 2400 — Application proxy 
processing, 2500 — Remote access control processing, 3100 — A control section, 
3200 — The group generation processing section, 3300 — Group participating 
processing section, 3400 [ — A host, 4301 / — Subgroup access client processing. ] 
— The group balking processing section, 3500 — The group information update 



process section, 3600 — The group control IP packet reception section, 4201 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing 1] It is drawing showing the system configuration of the operation gestalt 
which applied this invention. 

[Drawing 2] It is drawing showing the hardware configuration of the node in this 
operation gestalt. 

[Drawing 3] It is drawing showing the software configuration in the node in this 
operation gestalt. 

[Drawing 4] It is drawing showing the configuration of the IP packet with AH header 
used for a group communication link. 

[Drawing 5] It is drawing showing the configuration of the IP packet with an ESP 
header used for a group communication link. 

[Drawing 6] It is drawing showing the functional configuration of the group 
management processing section which can set this operation gestalt. 
[Drawing 7] It is drawing showing an example of the configuration of the data division 
of the group control IP packet in this operation gestalt. 

[Drawing 8] It is drawing showing an example of the configuration of a group managed 

table. 

[Drawing 9] It is drawing showing an example of the configuration of the application 
managed table for an access control. 

[Drawing 10] It is drawing showing an example of the configuration of a group member 
managed table. 

[Drawing 11] It is drawing showing an example of the information configuration set up 
as a security association. 

[Drawing 12] It is drawing showing the procedure of group management processing. 
[Drawing 1 3] It is drawing showing the procedure of group generation processing. 
[Drawing 1 4] It is drawing showing the procedure of group participating processing. 
[Drawing 15] It is drawing showing the procedure of the notice processing of a new 
member into a group. 

[Drawing 1 6] It is drawing showing the procedure of group balking processing. 
[Drawing 1 7] It is drawing showing the procedure of group control IP packet reception. 
[Drawing 18] It is drawing showing the procedure of IP receive section at the time of 
IP packet reception. 

[Drawing 19] It is drawing showing the procedure of the receiving access-control 
section at the time of IP packet reception. 



[Drawing 20] It is drawing showing tlie networl< system constituted from a software 
configuration of a network device, and a network device. 
[Drawing 21] It is drawing showing a hardware configuration and the storage 
information on a storage. 

[Drawing 22] It is drawing showing the range of the first group communication link and 
the second group communication link. 

[Drawing 23] It is drawing showing the connection phase of the network device which 
performs a group communication link. 

[Drawing 24] It is drawing showing the procedure which performs user access control 
in the group management processing section. 

[Drawing 25] It is drawing showing **** for the procedure of the right setting 

processing of user access. 

[Drawing 26] It is drawing showing the frame structure exchanged between the 
network devices which perform other group communication links by processing of the 
right setting processing of user access. 

[Drawing 27] It is drawing showing the example of 1 configuration of SA. 

[Drawing 28] It is drawing showing the subgroup management procedure in the group 

management processing section. 

[Drawing 29] It is drawing showing the procedure of subgroup access privilege check 
processing. 

[Drawing 30] It is drawing showing the procedure of a user access condition process. 
[Drawing 31] It is drawing showing the procedure of the IPsec transmitting processing 
section. 

[Drawing 32] It is drawing showing an example of the system configuration which 
applies this invention. 

[Drawing 33] It is drawing showing the procedure of subgroup access client 
processing. 

[Drawing 34] It is drawing showing the frame structure exchanged with a host 
between nodes. 

[Drawing 35] It is drawing showing the processing configuration of the group 
management processing section in the first node. 

[Drawing 36] It is drawing showing the procedure in remote access control processing. 
[Drawing 37] It is drawing showing the procedure in application proxy processing. 
[Description of Notations] 

100, 105, 106 — A node, 107 — A root group, 108 — Subgroup, 207 -- A memory 
card, 301 — Application, 302 — Group management processing section, 308 — An 
access polish database, 309 -- SA database, 314 — IP receive section, 304 — IP 
transmitting section, 312 — IPsec reception section, 316 — The receiving access- 
control section, 600 — A group managed table, 700 — The application managed table 
for an access control, 800 — A group member managed table, 900 — Security 
association, 2001 — An access user managed table, 2002 — An authentication key. 



2100 — User access control processing, 2150 — Subgroup access privilege check 
processing, 2200 — Subgroup management processing, 2400 — Application proxy 
processing, 2500 — Remote access control processing, 3100 — A control section, 
3200 — The group generation processing section, 3300 — Group participating 
processing section, 3400 [ — A host, 4301 / — Subgroup access client processing. ] 
— The group balking processing section, 3500 — The group information update 
process section, 3600 ~ The group control IP packet reception section, 4201 
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[ 0 0 0 6 ] 

cn5(^«ii^n^ntci p7F^x»jDST§ci:tcj:o. ^«§g^-y--^^i;^iS:-r2: 

1 5 J; a tc ^ ^3 . S II!! ffi fS- (c J; fr L ^ - If X ^ ^ L fc 19 . ^ g|5 4S * 6 O 

S ig « ifjiJ W , -y- - H' X -b > ^ 5 « ^ f3 $-iJ tP i: o /c y ^ - * F ^ /I- L fc ff t if 

- If X ^ '#5 mt ^ t^-^-otzZ. t ^- ;i 6 ti T v> 5 o 
[ 0 0 0 7 ] 

tC^T. ^artSSs0^3^t$/ii©«rS \U (D ill T a . ffl # IS IS t T 5 fPS 

/c « g§ a; § ffil * ^ ft # © l» ih S -i? * § o 
[ 0 0 0 8 ] 30 

^7" ;l/ ^ 7° ft ? n fc « §5 PeS O 3i ft ^ ^ n 5 <t ^ iS: >^ X r ;?)^ S « ? n § o L T . C 
[ 0 0 0 9 ] 

(:cDj;5;S:ig|I11&gttT. tj^*©^7'r7yF. ■9--/^3yo>-XxA-(?tt, IgSE+f-/^ 
ffl fc €. O 7b^ II il 5 n T 1/^ § <, A t±\ R F C 2 8 6 5 S » ? n 5 R A D I U S ( R 
emote Authentication Dial — In User Servic 
e) T«> ■9--^^lC7i'-bX-r§^'v-r7yF<D7*7yF (a--tf"^. /^X7-F) ^ 
R A D I U S ■9--/s'i:t¥ffn§l?liE+)--/^l?-*SSa -9--^^*. ^ ^ 7 ^ F ® 40 
7^7-bXS* (a-^f^S, /-^X7-F^^ty) ^RADIUS^t-/UcfE5IL7^H2XBj 

s o *ij Dt e a * s T . ^ ^ 7 > F i: © a fi ^ tf -5 ^ w »f -r o 

[0010] 

f ij X. a\ * © ;i. - 7° f b ? n /c # ig to li g§ pj! 7- © Hi i| a f= ^> X f- A R t; ^ o a fi 7? ri t 
L T a . f^ij ^ «\ # w 3t tt 1 5 a t# ^ fit; 2 ic ^ 5 n T s t o § o 

[001 1 ] 

[*#i^Xttl] I#tl2002-1 2494 m'j^^L 

imm^mz ] it p^t 5 - 3 4 7 e i e ^<^m 

[0012] 

[fi|B^A^»?*Lj;9i:-rsSffl] 5° 
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[0013] 
[00 1 4 ] 

T a ffl ^ It ^ 9 t o T F * >y ^ §a T § o cntcisb. ^ T © « g -9- - /Uc -7 

7>Ftcfe^Dff. 7^-bXlfia©iaS*^J;0MliK>5:5i:V^^Pp1SA^~<fe5o 
[00 1 5 ] 

c: (Oct 5 ^^-&tc. t^e*© j; ^ m^fSX <D -b y ^> a ymiLn . 

t 3 M II 5 o 
[0016] 

fc o -e § o 

[0017] 

pjrK o't icK^^n fc«tSccDvx^r it :/ SI 4 i)c:/n ^'^ A i:A^~tas^nTv^§ie^ 

IS § o 
[00 1 8 ] 

^t-i.i£:^MA^a&ofcD. vx^«t{B^©]afflffi#5fe©lli«i:o^o/cffl*i^'lffg^i^i6ffi 
[00 1 9 ] 

H#fc j; 5«fg©fiJffl%i!Sff 5 c ^;*^■ai*%v^^. a - -tf' ^ ^ L ^ ^ j* ^3 

;l/ © 7 ^ -b X ffjij tP -p t ^ t/^ t 9 PiS ffl A'^" ^ § o 

t /c . a - +f tc J; D ^iJ ffl T t S « i§ « PS -r 5 C i: t T:- t ^ i: 9 Pal S ?. o 

tx /i a i§ ^ © a « fC L 7b^ ii ffl t ^ 1.^ o c: n B . I P s e c ^ fij ffl L T § d t P> , i'" 
;^-7'^«figt-5itig8-e$.?.A^^¥iJiTT?.^Hc±t^mKljnx.TjM{g^t I P7 FUX&tfS 
flTt I P 7 F bX©-^7A^H£-efe§ie«S*^fe§*:tcH§o - 7° ^ t T i/^ fc « S§ 
*^D- -y F 7 - ^ t fcli-&. ^' ;!/ - 73 fB J; § 7 -b X $ij » A^ S ffl T t 

[ 0 0 2 0 ] 

* 51 0J! B . c © j; ^ ^ » tt s * 5 n /c t © -e . * f§ Bi! © i w . ?ij li # IS ^6 /c « f§ 

PJI-e ^ ^ 5 ^ IS II L -5 u t A^' fJI ^ - 7° ^ « iiX L . ^ © ^' ;l' - 7 B -r S « fg 
R§©S^*affl^1^iit-5Ci:tc^§„ 
[ 0 0 2 1 ] 

*f|0J^©ffi© @ Kja. i^~;b-7F^©«g§A^~ffitt-r§77"U ^-v' 3 y tc ^";^-7 
5'1-©«§§ti:fc7^'-trX^WnJ-r§ t©A^fe§^^. - :/n © ^ S A^ ^ ^ ^ © 7 7 U -Jr 
-i-3ytc©^7^'-bX^|^nj-r§i:i/^-3fc7^-bX|iJffli^|lil!-r§ci:tc$,§o 
[ 0 0 2 2 ] 
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[ 0 0 2 3 ] 

^ Wm^n '^±rs.7 "7 7s / %rm'^MMt ^ ^ t \z h ^ o 

[ 0 0 2 4 ] 
[ 0 0 2 5 ] 

[iss^fti^-r §/ci6o¥is] 10 
nfca«^tT%3Si§§©*^f^^'^i'-:/i:^^t, ^ (D )\^ - f -^m^t ^ m'i^ t it ^ 

[ 0 0 2 6 ] 
[ 0 0 2 7 ] 

M # eg a . ^- -y hu-^^ftLrmM^ritimo^y h 7 - ^ « i§ <h a « ^ It * ^ ^- -y 
^ 1 7 ¥ u X t^f^tsmwimm^ ^nmmmmtm.<Dmm^ists mm f/\^-fKpfist 

* -y f 7 - ^ « ^ t eg ^i- jI It ^ It 9 /c 46 S ^ Hi ^ 51 IS iff IS ?r -r ^ f e 1t * S t . 

isi^ii^^^m^mnt^mm^mt. *fit^> wiB^/iz-T' w «! ^ s a s tfi ie iBti#ifttcSi} 

IB Bf ^ ii is m m « irt 5 n T s -^x mr-. m ib ?x n ^ a t^: ?5 t m la bi a € iff « ^ fx 

L T S » O is gij 'It IS ^ W IB ^" - :/ PiT M -r § -y h 7 - il «§ « L . M IB Bf a M 
¥®^^>tTffl£D^^>y h7-^^^A^P.aMffl©^^>y h7-^>^f§OiiSiJ'lfS;Sr8J#-r§ 
i:. MtBIBtt#atcfB«LTi.^§lufBBi^affl«$it SMIiS'J'lf H^iiiO-r S C 30 

[ 0 0 2 8 ] 

ffc. ffiiB ^7";^- 7°Ba¥Sa . MfBl?# tc *5 1,^ T :/ p. SISM f S ffi 

^ S It ft It § , ffii «d ;ri f f!i !r p2 i-t n r 1/^ iW IB - 7° {c piT S -r ^ ^ T © ^- -y h 

7-^st5i'-^ lunBBg^iafu f;i^'rLTa#^D^-~-y h u - ^ mm (D %tm^ M^t ^ 1 1 

. rju nB nB 'fi # IS 6 HI „B a(t ij a fn ti'i S ^ L . iiu ,;B Hf5 ij- ffl f„ ¥ ® ^ /T L T ffi O ^- -y 
h 7-^1ii§*^?>. SMffitD^^y h7-^«gs/)^ilfi^1-§aft]^Slt#lt§ MIBfBIS 

m$im-<D^^;v~-f^mi^t^^-^h'7'-i7mmic^\^>r. oL-tf^^fufflTt §^--y h 7 40 

f- ^ « 5t ffi $ ti /c a fi ^ ff 9 © s o 

^ . H ^ © Bf ^i- a i: tS L /c a - +f © H gij ? t X 7 - K © t« ^ ^- >y h 7 - ^ « tS i: 

mnui^femt ^ ti^^ic. m - (d^^ ^ mmm m it lx ii^nm=.(D ^- ji^-rm 

m^ffo h7-^«g§'\iaflJ-r-5i:tKcfcD> a--tfA^*-y h7-i7«g§%fyffl-r§ 
HO^-y h 7-^^g|ti:fci.^Tt. IB It® © If IS >y h 7 - ^ a§§ © 'If ffi - S 
r § c ;&5iiS-r § c i: j; 0 . y;V-:/3i{B©fiJfflgS©7 ^ -bxSiJffli^^^-r i.c 
IBtt«#:T'^^ -y h 7- ^'iligtOT K UX i:g|ESI^Wa t . >y h 7 - ^ ^ §§ fc' T I? 50 
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liE a ^ 1= a t . n - © Bi ^ m t? Hi mtLx i& (Dm::: n ^' )\/- -/mis ^'ii ^ ^- -y h 7 - ^ M 

SircD^';l/-yii{i^>f»®^ >y h 7 - ilg§ ilM^ MiffeT 5 1^, IB it ^fi o If. liE M . 

IB '1 « f* ® X 7 - F i: a - -y^' I D ^ Bf ft L , ^ O Bf # ft 'If fg ^ IB * I* O 7 F U X ^ 
TtcMff L. ^n© ^^~;^-:/afS>r^*«^- -y F 7- ^«i5l?a^ffiltT'a--tf I D fc/^x 
7-F^S^IftL. a-1f'lDfc/^X7-F;&«gLfc±7-. ^-©^^fflOHi^a^^iiE 
«l:'Bgl|ftbT. MjIT § c: <!; J: 0 . - ^ a ft )tt * T * -y F 7 - « g§ t © 

Tl|z:©Bfl|ai:-©Hi-^)ift^S«-rS 
[ 0 0 2 9 ] 

[ 0 0 3 0 ] 

^ rticfev^T^m^iftc cfc o®«^n§^^-y f 7- tc*fS0^=^®ffl t 

fc ii ^ ^ tc , 0/j -r 5 o 

[ 0 0 3 1 ] 

* H ffi ff^ fi © ^ © ^- -y F 7 - i7 « , I P V 6 }C <i; D #j fiSc 2 ti s ^ n € n I P 7 F P X 

*Mt^?nrc. fijAtt\ b>i>'^x73 ©*«^i§. X nd~^ ex^^i H© A 

van. -bytf«;b^SM?nTi/^§o ^>-yF7-^^cS^5n. lPv6KJ;§l 

P7Fl^X^##$nT!.^5&«i5^. y-F^:i*^-Ci:i:t-5o 

[ 0 0 3 2 ] 20 

©^i^;l/-:/i:L. ^;l/-yicM-r5y-FP^l:-igiE©fci6lc«a©Hi^ftg|lcj;§Bt^ 

a ft ^ It S ^ o 

d il T . * ^- 7 F 7 - ^ T S ffl L T S I P V 6 a . BU L fc -9 , 5S IS T;- 1 5 I P 7 
¥ U xmtm^ t ?> r£ if-e < ^ I P s e c t^iin^^i"s • ig|E©ftfi^*^IS*TS 

V^Ta. I P V 6©I P s e c^ffll^T. ^';b-:/^«fi!c-r§ilggH©^t?©g^=ftjitt 
^ ^ Ji -r § o 

**fi(i«ffi©Pffl^mB^©MtC. t-r. I P s e c ©ffilMtCOI/^TiKH^-r So 
IPsecti. I PIItcfel^Tffi5SlKnIigT?ftB°BR'S:Bi#ft-^-X©-b4^a U r ^' =Sra 30 
tt-r?>S»Tfei.o u©-fe^:3.U7^'i-tt. glE'N-y^AH (Authent 1 cat i o 
n Header) i:IPEi^ft'^-f'n-FESP (Encapsulation Se 
cu r i t y Pay 1 oad) ©20©F^7'r-y^'-t4^iU7^'i'>^nFn7F^tCj;-3 

[ 0 0 3 3 ] 

A Ha. I P /^^ -y F ©*^'^*K <-^lit6^fli« ESP«> I P -y F ^Bt-f§ft L 
. Tb^o. ^©EiET^-^'%+S«-r§iii:-e. lP/-?';r7F©^^tti:^^tti:^«iE-rs 

© ^ § o 

[ 0 0 3 4 ] 

AH. ESP«tC. IlKli. Bt^Si^ffll^T. ^n^'nigIiE1tfS> Bt#T-^^f^fi!cL. 40 
^I#LfcHi^jb?nrcx-^^»Ko|ig^il^fSWLT(/^§>b^SA^^cJ;f)fflftffl^©«g§ 

^ IS K -r 5 o 

[ 0 0 3 5 ] 

S4i;H5i:K. ^ti€'n. AH^nF^ ;H3 J; t^ESPT^DFnyl'^SrfiJfflL /£«■&©! 
P/^>r.yF©«lS%^-ro^fc'. i:ne.©^^y'yF«fiic«> IPsec/^y>yF^:LTR 
F C 2 4 0 1 ~2 4 0 3 ^C^i^$nTl/>§t©T$.§o 
[ 0 0 3 6 ] 

■^(0 I P /^^ y h ii. IP^-y^AOOt, TCP/UDP^7^402i:.-r-:5f40 
3^C*t■rS^^>yv'a{a^tStt■r§AH'^>y^^401i:^fii^§o 50 
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[ 0 0 3 7 ] 

liE 0/3 r 5 fc i6 © © . affl ffl # pa T ffi s «^ § igSEii^ ffl T 1+^ ? n fc « 

5 O , ilfi iJ g # ^ -r § USE® t j; -5 T l+» L T l^ffl L fc r - ^ O -y a 

5 d t IE ^ ti o 
[ 0 0 3 8 ] 

05ttE S pyahr3;l.*fiJfflL/cJi^©I P/^'^-'y h<D«^%^-rfc©Tfe§o TCP 
/U D P-^-y^i:> r-^f*Bg^ft:Lfc:Ji-&©'^'y^^ifi!cT'fe5o 
[ 0 0 3 9 ] 

C O 1- CD I P ^ 'y Ylt. at ^- b T § -y h T' ^ 5 C ^ 75 E S P ^ -y ^f" 5 0 
It. BS^ft;oKt?]^p^lix.5fca6©ESPhb-^504i:. |f|Ix-^50 5i:*« 
ASo igHiEx-^505 a4-:/i'3>'-e$.f9. ESP^N-y^SOSt. 0|^lft?n/cTC 
P/UDP'x-y^'SOZ^;. r-^503i:, ESPFlx-^504i:©/N>y>'aii^« 

[ 0 0 4 0 ] 

gSEr-^ 5 0 5 tctStt^n^/A-y J^^tta. I P ^ a - F © ^ ±tt ^ « « L . Hf i| fk 
LT*E3l-r§TCP/UDP'N'y^^502*3<fctfT-^'503(D^att^««-r§oBg^ 

t/^ T Hg ft L fc T - ^ S IB fflJ a g # /bMS =f T -r 5 Hg- if it T- tfi ^1 -r S o S fg iJ IC *5 T ^ « 

^ T- 1 ti ts\ ffl ^ iH] u Df a ^ wi- § c t 51 IS T t § o -r ^ t3 -5 . f^'ryvmm 

ffl # AMtiJ i: Hg s# a ^ ffi If t- 5 ;b - 7° « T S c i: 0 ,ffi i; ^ o 

[ 0 0 4 1 ] 

S/c. I P s e c-effiffl-r§H|!§/ggaE7;l'=iUXA, E . ^Si^s R^J I P s e c © 

M *S o T a {f ^ ff 9 iWik. I P s e c © M « o T fT ^ ii fi © C i: ^ I P s e c 

3iffli:t¥^~) fci6(ctt*-r'<t 'If ■fe4^a'J-r^'7yj-x-i>'3>' (SA) tLXm 

[ 0 0 4 2 ] 

S Aii. ^nscioTiiSfn^ h^^^-y^tc^tLT-b^^aUr-f+^-ex^ra^-rs* 
TJI^O© rn:?. i'i/gyj -efe^o il©rca6. IPsecaffi^ff^tCfefc^T. afc^ff 

9 sg5H-e-^[p]©afi u 1 1 , ^46s^^fT ^ it^SA^fe So -r^tJ-e. ws[R]©afl^ 

ff^d:9/ci6lcjJ.3MfI*|p]i:§ffl^|6]i:©^n€n©SA^^^fSie^SA^S§. 
[ 0 0 4 3 ] 

^43. IPsec©plfflli. RFC2401 " Securi ty Archi tectu 
re for the Internet Protocol "lC^i^$nTt/''§o 
[ 0 0 4 4 ] 

[ 0 0 4 5 ] 

* H /T^ T i; ^ . * H * Jf K *3 T . 4 o © y - K 1 0 0 ( 1 0 0 A . 1 0 0 B . 
100c, lOOD) *MPv6lCj;§:t-.-yh7-^'l lOtCiSa^tlTV^^o t^35^ 

« ijg y - F a fi c n s c, n ^ v^ „ 

[ 0 0 4 6 ] 

dn?>©y-Fl00PtST'> :7-.-yF7-^'l 10^/rLTIP/^'y>yFJf^S©3vyF^ 

m^mt ^ ^ t^z UK) . y-Fi q o ^^tf^m^^mmmM(n>^-^7.mmKnt ^m<r> 
7-Fi ooA>e.©»f^. fci;i>\ ffl©y-Fi oo'\©-y--trxii{ftA^*^^n?>o 

[ 0 0 4 7 ] 
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[ 0 0 4 8 ] 

m^ii. / - ¥ I 0 0 A ~ / - F 1 0 0 c B . ?ij ffl # ffl s - e X ^ f ij ffl -r § il ^ 

ft Bl L T i.^ ?. 7°scS r § y - F D , 7 - F 1 0 0 D . © i'';!/- 7^^ © / - 

Fi:-r?>i:.^^";l/-7°^«fiSc-r§y-FlOOA. lOOB. 100CRBT«,-9--lfX 

^» il H?^') IC j; <9 ft»? n/c/N -y rLfi^lStt L/C. $ /c . H ^§ ft L /c I P ^ 7 F 
^Mftt- 5 ( 1 0 1 1^1) o ?iJfflS*^^tt^o fcS«5fe7- Ffi. g#©«S1-5 ^Vl/ 
-:/SiKcfcf?S«7c/-HA^'y;i'-7'«fi!c7-FTS§t:i:^«lIL. -it-exilll^s 
S<7cy-F^ciI«-r§ (1 0 27?iRi)\ i:(/^ofci P s e ciifS^tf^^o 
[ 0 0 4 9 ] 

ctltC^L, 7- F 1 0 0 D*^?.«, ^t-extHtltDfiJfflSsfca, B^O I F 

J;oT3Mffl-r?.Ci:i:^§fci6. 7-F100Ctca#<DIP^^'y^vF^3Mffl-r§i; (1 
0 4;^^) . 7-Fiooctct3i^T^^';P-~7°347-Fi:*iJK?n, -t-exSttlgS© 

/^^-yFOMS^Stt§i:i:i:;5;§ (l 0 3^[p]) o 
[ 0 0 5 0 ] 

cc-e. 7-Fi ooB*'^^';i'-:/^(D7-Fi ootc}i#t^ftoj-r§-9--H'x^Wr§ 

7-F©lS-a-. 7-Fl 00DA^P,^£D-9--lfX(Dffitt^JgSLTa^©I P^^^<yF^ 
jift-r^i: (104b;^(6]). 7-FlO0Bj;0*co-9--ex*'Sffiti^^n§ (103b 

[ 0 0 5 1 ] 

* * Sffi » 1 -e . 1-:^ ± to J; ^ I p s e c <D f± ffl ^ ti * T' ^ s -r § I P v 6 ^ ^ /c 7° 
DF3;l/lcj;?,}i{i/5)^WH^^^7F7-^^l?ytcfetfT(lWri.. LA^L. ^^;l'-7°^#| 
/S-r§7-Fi oor^li:ftji(DBg^{t:il^jffc-&. ^(OSt;|rig|iEilt/cttHt^a^bTa 

ic ffi c, n s o 

[ 0 0 5 2 ] 

KT. il©J;^:fe^-yF7-<>KJfM^nfc7-Fl0 0Pa-e. mS©-9--lfX(D$^^ 

fiJ ffl ^ * II T 5 - 7° © S a ?S . f ^ t> . - o © 7 - F 1 0 0 tc S3 1/^ T ;i/ - 7" ^ 

L . nfc 7'tCfflO 7 - F 1 0 0 *^~#iP L. $ . ^ ? ft /c - :/ 

[ 0 0 5 3 ] 

* ^ SI ffJ T , S © y * U A - F A . B O 2 O ^ il M L . S ic i'* ^l' - 7° tc # to f § 7 
-F 1 0 OlC*5l^T. ^;l/-7'rtt?I P s e cfflfi^lf'J/cidKi^^g^Srtl'S^^fiScL. ^ 

©9-5©-o©ytu*-FA{c. sfii-t§o ^©f^#in-r§7-Fiooa. p<tU* 
- F A it^S^M «^KI|-r § ii i^;b-7'tc#in-r §o S/c, ;i' - 7° e. ii aj^ 
T 5 a . ^ © >f ^ U * - F B ^ ffl V> § 0 
[ 0 0 5 4 ] 

E12tc7-Fl 00©/N-F'i?x7«/3g^. H3{c^©«iglij3ic^^-ro 
[ 0 0 5 5 ] 

7-FlOOtt. 7-Fl00AMi;^§--Di;(±©EIWSIggP202i:. Jr--yF7-7* 
-F 2 0 5i:, llW«tlgP 2 0 2R0-':t--y h7-^'A-F2 0 ^ mMt ^ -f U ^ -y ^ 2 
0 0 i: . 7° D -b ^t 2 0 0 -e Hlf -r § 7° n ^' ^ A IB ti -r S 7 * U 2 0 1 i: . 7° n ^ A 
Rtf' ^£tf fg^lB'B-r S ^N- Fx^ X ^7 ^£D:HgPiatigH 2 0 4 <i: , - 7°1f fS ^ S 
«t-fci6©^^UA-F^©^>'^7x-X%S«-r§ia'»ilft-f'y^7x-X2 0 6 i: 
> ilfte.^gMf§>'Xf-A/^X2 0 3 iL^mTL'^o 
[ 0 0 5 6 ] 

**3. HW^fgglS 2 0 2 § H*atg ti. M^t±"x7 n >T'*ft{i\ I^J^lfJtR 
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[ 0 0 5 7 ] 

[ 0 0 5 8 ] 

F 1 0 0 a. hu-'^^frhz. - exfoffisfijffl^if fir Lfc 

«i?g-r5y-Fi ooifl-e-9--t:x<Dffi#t^*3i-r§c 

[ 0 0 5 9 ] 

#/-Fl00ti. 7-fV^-iy3y30lt. ^ )l-^'SmM^ 302^. TCP/ 10 

u D pminmmm 3 o 3 1. i p mm^ 3 0 4 , 7 ^ -tr ;^ .j^ u ~> x- ^^^-x 3 0 s i: 

, SAr-^-^-X309^;. ^-y F 7 - ^ > 7 x - 7> SfBJfiagP 3 1 0 I P^ 
flgP3 14^;. TCP/UDP SffiMagP 3 15i:. ^■.•yF7-^-r>^f7 x -Xjiflffi 

asp 3 1 It. timmw^ y^^y a.-7.mm^3 i s §o 

[ 0 0 6 0 ] 

7 7°U^-'>3>3 0 lli. ^/-F1#*<D-9--lfX^jS#l-r§fe0 1:-£§o 
[ 0 0 6 1 ] 

^-;i/-7saffiaa5 3 0 2 a. ttigE-r § ^'^i^-^o^fiSc. siw. sir* if. ^'^i-y'icm 
t mm^ n ^j: ^ ^ o -v h ^ o 

[ 0 0 6 2 ] 20 
^^>y F7-^-Y>^7x-XgiBfflaa33 1 0^;^>y F7-^'l'>^'7x-7-s!«SailSI5 
3 1 7 tli. -y F 7 - ^ * - F ^ f IJ » f 5 O T S 5 o 

[ 0 0 6 3 ] 

I3'li«*^>'^7x-Xfflllg|5 3 1 8 a. fB'fi!fi»^>^7x-X2 0 6^$iJfPt-5fcO 
■e£?)o ,E'tai«l*^>^'7x-X3 1 8ti. ^t'JA-F^OHB»^ffil*A^(fSiiftlft'l'>^ 
7x-X2 0 etcJfA^n/cdt^t^ffl-rSi:. fe'i^f*^>^'7x-X2 0 GtCii^P) 

n T § L E D ^ -f h i;T b . ') ti - ¥^mm^v$)^ c t^m n # t >r^ t t -r 

o S/c, i7";l.-7ggMiia5 3 0 2 *^5,MS»7©jia^§tt§ il. IB It IS f* ^ > 7 x 
-X2 0 6 (Cfi^BnTI/^SLED5^F^m*TL. ?iJfflSt>t.fb. ^*U*-F^OfH 
mm#^(Dm)i.3j.fjH%J LfcC t. *Dj;t>\ ^''■;l/-7WaMiIg|5 3 0 2 Kfc'ltSmSA't^ 30 

T Ltcc t^m^t ^ . 

[ 0 0 6 4 ] 

% 43 . a a ^ S it fc fij ffl # . ^ ^ U A - F ^ S IS f B 'i « * > 7 X - X 2 0 6 p. 1{ 

tat L. tti'^H' ^ ^ , 

[ 0 0 6 5 ] 

TCP/UDP3Mflfflag|5 303i:, IP3MiigP304i:. IPSfMeM14i:. TCP 
/UDPgfi5!Lagi53 1 5i:«. jMST?)! P h icML. ^H^Ma^tfv^. fflfi 

[ 0 0 6 6 ] 

I P j^flgP 3 0 4 ti. I P V 6 jjiflHuSaaSP 3 0 5 , I P s e c 32l{8MagP 3 0 6 , 40 

IPv6^t^i[LagP307i:^^i;^^ lPgfflg|33i4li, IPv6SMMMag|33ili: 

. I P s e c Sftmag[5 3 1 2 . I P V 6 S:fil^fflaSP 3 1 3 i: 5o IPK^ffSP 

3 0 4 ^; I Pgfflg|53 1 4 tr-. I Pv6t<k§jifl^^i|-rSo 

[ 0 0 6 7 ] 

c: c T . I P V 6 S ft tu 5a a g[5 3 1 1 a . i P ^ -y ^S" ti T S - a :y . ^ p - F 

g . .t^ ^y 7° • U 5 'y F © » S tt « 5S IS ci; y :t 7° >- 3 > -A -y ^* ( A H E S P t ^ ^ < ) 

ffi ii! i: o fc 1 p V 6 s fs M 5a a ^ * a o -e § a I p V 6 s fs tu M a 3 1 1 a . 

SltSXo fc I P ^-^-^ <y F A H'N'y ^^tzli E S P -y (D l/^ "f tl AMt AP $ tl T V^ fc ^ 
^©I P/'?'!r<yF^I Ps e cMag|5 3 1 2lcSltg-ro V^-fnO'N^y^^fe^to^n 

/c^^. I P/^'^'y F^&t^KE-r §S«7^-bXSiJfflIg|5 3 1 GK^ifmto 50 
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[ 0 0 6 8 ] 

IPsec®ag|5312{i. I P ^(Dtfi^ 3 ^(D o . AHi^ESPOfflif 

^ ^ V> . S ffi t fc I P ^ y h ff - K :h y - ¥ \ 0 0 A> 5 fa ? n fc £D 

5 ^ fij if -r o 

[ 0 0 6 9 ] 

I Pv6Sffl»ffiagl5 3 1 3tt. I P /^'y y h ^^ifm^ t . miETZ 1 2i€ 
5tIP7F^X%^tyPusedo Header^ ff.fSL. S^tlX^/cIP^-^^-yhO 

I P^-y^'tBtiftx.. TCP/UDPSfgffiilg|5 3 1 5 Ic ^ if mt t -d fc I Pv6S 
iE'ikmm^nfi d o $ fc. I P S « g|5 3 1 4a, S IB 7 -b X SiJ fP §15 3 1 6 ^ ? B tcli X. 

[ 0 0 7 0 ] 

§ff 7 ^ -bXSiJWgP 3 1 6 I P V 6 ^ftMMilgP 3 1 1 5. ^ A H -y ^" S E S 
P'N-y^^SrWLTV^^VM P^^'5r>y^.?:§^ta^0^ SMi P ^ y h (D 7 f V ^ ~ b y 

[ 0 0 7 1 ] 

SA7"-^^-X309 a. I P s e c V -t ^ a. V 7- ■< 7 V iy :3L - iy 3 y (SA) 

tS « ? n T § O t:- ?> o 
[ 0 0 7 2 ] 

7 ^7 -b X U -> f^' - ^ - X 3 0 8 a , ^" ;b - 7° [*1 CD a II ^ H 11 -r § J6 . =& X - F tc 

T -5 7 ^7 -b X « w M -r § if $s & ^' - y 'It fB « $ ti T 1/ ^ § « -e <& § o 

[ 0 0 7 3 ] 

7 i^-bXd^ U v'x-^-^-X 3 0 8 a. ^;l/-7'eax-7;l/ 6 0 0 i;. 7 ^ -trXftiJW^if 
*7 7°u^->'3ywax-7;l'700i:. y;b-:f^y/^Sil-r-7;l/ 800i:^ii^ 

§ o 

[ 0 0 7 4 ] 

^43, ^";P-7'Sax-:7;l' 6 0 0(i. tH«^«f*:-ry^7x-X2 0 6;&^LTX-Fli: 
gM$n5fB'iii#:T?fe§^tUA-F±Tfc«^2n§fccD-efe§o 
[ 0 0 7 5 ] 

WT. ^'^^l/- T'WilSaaSP 3 0 2 . 7 ^-feX>-KU ^^■r'-^^'^-X 3 0 6 <D#7-"-^-^-X 
, fc',i:tf\ SAx-^^-X309rtOSAlc-Pl^T. ^Oi¥iB^SS0^-r5. 
[ 0 0 7 6 ] 

[ 0 0 7 7 ] 

♦ Ht^-Tct^tc, 7°§iI5aag|5 3 0 2 a s SOffligP 3 1 0 0 i: , - :/ ft a 

§15 3 2 0 0 i: . i^" - 7° # /JP m a §15 3 3 0 0 t . i'* ;l/ - 7° If liJi ® a §15 3 4 0 0 t . X" - 

:/ ffi ffi M if Fi! §15 3 5 0 0 t. ^ - 7° my fP i p y h^mmmms & 0 0 t^m^^ 

[ 0 0 7 8 ] 

i?" ;v - y B a M a §15 3 0 2a. a - if AM ^ u A - F ^ la 11 « I* > 7 X - X 2 0 at 
ifALfcj: i:^^taiLfciBiiJ«#-ry^7x-x®a§P3 1 sf^i^nm^sTmrn^fMP^t 

5 o 

[ 0 0 7 9 ] 

$|J iP §15 3 1 0 0 ii . IB 'B f* ^ > X 7 X - X ® a §15 3 1 8 5 © J§ /t^ ?r S tt . If A ^ tl fc 

t u A - F i: , i # AMS? S -r S 7 ^7 -t X sf" U >- X - X - X 3 0 8 ^ 1^ ^ L . X' ;i/ - 

7° s a 7^ - 7' ;i/ 6 0 0 (D^m^mmt ^ o 

[ 0 0 8 0 ] 

7°^fiicffia§15 3 2 0 0 tt. ^^•;l'-:/g|*A^#fi t^^^ii^fi:. §i fcK ^' - -f ^ ^ 

^ if - f ^mM^ n rj: o o ^";v-y:Sfiei!aaa. fufflgp 3 1 o o am * u * - f 

lct7^-bX.t°'J>'r-^-<-X3 0 8 tt^;l/-ysaf--7;I/6 0 OA^^ftL^i/^t 
f ij fifr L fc ^ ^ C tf ^ *3 ti § ^) T' § c 
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[ 0 0 8 1 ] 

[ 0 0 8 2 ] 

^" ;b - # ijD M a SI5 3 3 0 0 , R # O ;l' - 7" . f? fc ^ ^« y i: b T g # «r # in $ 

i. :/#*pffla^tT '5 o T^. So >^#tofflatt. SO fp gp 3 i o o ^ t u A 

- F (C a ;l/ - :/ e a -r - 7' ;l/ 6 0 0 # -r § 7 ^ -b X :^ U y x - - X 3 0 8 
t ^ - 7° « a T - 7 ;l' 6 0 0 # ft L * l/^ t W 8ff L fc K It t) ti 5 O ? ife § o 10 
[ 0 0 8 3 ] 

7'#iipS!Lagi5 3 3 0 0 }f A^nfc^^ 'J Ftctstt^nTv^sHgif ajI^Ci£:^ 

S^lffg^^tiL. S/c. F 1 0 0 iiBg^Sffi^ff^ 5 /iiitCiesS^lf^B^^ 

;^-y^cK^^:S LTi/^§ffi<Dy - F 1 0 0 tc^fflf §c ;>< ^ U * - F O ^" 

f--7';i'6 0 0%. Ti'-trx.i^Uv'r-iJf'^-T.s o sicSiJ-rSo 

[ 0 0 8 4 ] 

Sfc. ^~;l/-7'Sar-:/;l/ 6 0 0 fc. T'ic K t^: R L T § y - F i o o © 

*XF^A^e.I P7FbX^ftf?*-r§Ci:T. >^~;l/-y;<y/^Ba7---/;l/ 8 0 0^5:)jg 

•r§o 20 

[ 0 0 8 5 ] 

^ 7°#ApfflaSP 3 3 0 0 a. ^7"';l'-yf^O§/- F l 0 0 i: I P s e c iift 

3 0 9lcaSL. ^7-;l.-7°F*3OKl¥«0^y/^oy-F10 0C^ IFsecilftT'g**'* 
[ 0 0 8 6 ] 

^";i/-^itflJSS!iag|5 3 4 ootj. ^;i/-yA^e.^flJJ-r§^^/i/-:/iiiJi5aa%R*3fco-e 

[ 0 0 8 7 ] 

n.--if-7b^-m/t©y- F 1 0 0 ^^•;i/-yA^?>giiM^i*-fcv^«^. a^y so 
-KioocS£Dy^'j*-K^»A-r§ci:ii-r§o -r^i^-^. ^"^iz-^iisij^aatt. 

fij fp 3 1 0 Qif. g # CD 7 ^' -b X 3}-° U X - ^ - X 3 0 8 i^' - T' B a x - 7 ;!/ 
6 0 OA^IfftTS^^ ftA?n/cy^UA-Ffcs^~;^-:/Waf-->^;i^6 o OA'^^ftL 

i: fij if L fc l§ tc It t3 ti t O T § o 
[ 0 0 8 8 ] 

7°lt)lffiiltts ^~;l'-7°(cHT§ffl©y- F 1 0 0tcg#£Dy-Fi OOA^itMI- 
<D7^'-feX4^'J?/x-^'<-X3 0 8 &'<i;t;S Ar-^'^-XS 0 SrtO^'/lz-T'KcDa 
[ 0 0 8 9 ] 40 

c c -e. ^~;i/-y#i!ip5!iagi5 3 3 0 0 ^ axs ]i--fmm.MU 3400 *^^n^n^ # 

ta4o J: tf«SM^^";l--^tcK-r§#y- F 1 0 0 caftl-r§^«. I ¥ f^'T 

y F i: ff ^' W gij =4 X - ^ g[S ^ W -r § I P ^ -y F ^ ffl S „ 
[ 0 0 9 0 ] 

ii c ^(D ^'j\^-fmm I p ^■^'^ -y h tcot^Ti^H^-r §0 0 7 ^~;i/-:/fflw i p 

«y 0 0 OtD-fiaj^^fo 

[ 0 0 9 1 ] 

*StcS-r J; ^ tc. ^;V-y|iJffll I P >y F <Dx- ^'gp 1 0 0 0 ti. n v> FligiJ?* 

ii^tt-r § 3 V > Fii^y? tsfflgp 1 0 0 1 . I p 7 F ux t *x F « i: ^^n^n^s«-r 

1 6/WF(DI P7FUX+Sttg|5l 002i:. .t>XFi&+S*figPl 003i:?:«^§o 50 
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[ 0 0 9 2 ] 

mm I P /^-^ -y h toJi-&. n V y HiiSiJ?*&ttgl5 i o o i rinXJ ^^"T ( o o ) he 

X t ts X h ^ t ti'^mj^ ti ^ o 

[ 0 0 9 3 ] 

Sfc. ^-;b-7°*^^«K-r?.gtc^';i'-:/^::S-r§§y- F 1 0 0 It ^ ti 5 - 7° 
fiJfflilF^^^-yF©^^. n-ryFligiJ^ISttSPlOOltc riliJj;£^T (0 1) he 

iP7Fix7.is,ttgi5ioo2i:. .t^xh«1^ffla5loo3^;^c^i, ^n^ni^oTFi^ 

X i: X F « t A^-fSS^ n§o 
[ 0 0 9 4 ] 

;l/ - :/ 1* ^^g M fr ® a ai5 3 5 0 OB. ;l/ - 7° W a - "/ ;V 6 0 0 (D ^ % H if L fc D > 

^ n ^ ^ U * - F K n tf - T § t/^ -3 /c ;b - 7°it fg S Ut ffl a ^ ^ 3 fe © T 5 o 
[ 0 0 9 5 ] 

* * « Jf^ S :i3 T ti . -b a: U X ^ IB] ± ^ ^± § fc tc . - 7" ffl T § i'" - 

7°mifm^<Dmm^ t\z^m^n^m.'&trs-DX\^^^. )\^-fmm%m^m^'i 5 0 0 

a. i7';v-y^ax-^;l'6 0 0Oa^a»3llA'«^^A7'i' F LfcBt.^T-. ifLl.^^';^-- 

ya^^is-r 5o 20 

[ 0 0 9 6 ] 

n s o a w tc B . F/T s (D w ?i] w PI ^) . f ij ^ ii\ T' ^ X V Y X 3 0 % iig CD ^ y A ^ fa 

F fia '/ii -r 5 o c O fc 46 s # 7 - F ^' gl ^ a ffl K © ^ 7 F ;b^' S ^ 5 ^ ^ 5 y 4 
i: . it 0 M iff ^ ^ 5 / - F - o ^ S D . ;i/ - y (D ^ y lai ^ c ^ - ^ 4 

[ 0 0 9 7 ] 

^ y/^A^p. ^^";b-:^tc«f F{C3i#-r§o c © i: t . it© Mff i: t t . #7- 30 

FO«Wa}l!PI=&Hi95ttT^,=};i^o 

[ 0 0 9 8 ] 

7°tf ISMirffiilSP 3 5 0 0 a. flfi<D7-FA^P.> M »f $ n fc - ^ S 
7-Fl OOOI P7FUXA^Mif^nfc^^. Waf^x-^'^-Xrt®! P7FPX 

^Miif -r So 

[ 0 0 9 9 ] 

ci ti T . ^nmy&MX\t. ;l/ - :/ cd si ® M D? a ± a © ^ ^ ^ t) n 5 /c a* . y /I' - 7° 
#ta5aJlle:ffl v^p,n§ ^ ^ U A - H 6 0 0 ^c^i:SK^n*v^o 

H^K. ±M0D^*>'l/-7'A^?)CiaEffii&att> t 'J F^fflV^TtT^t>n, SflMt 40 

fc7-Fl 0 0 ^ ^ )V--f^mi^t / - Y \ OO^cDiittlfi, I P s e cSffllc 

ioTfffctiSc cofci6. ^^";i/-7'i^MtcJ;5^~;i/-:/«/S;>«y^^®^Sfe. 
#i]q»Jl{cfflv^p,n5^^U*-Frt©^~;i'-:/sax-^^i'6 o oicgiift^n^v^o 

[0 1 0 0] 

C©fc46. ^'";l/-7''lf ^SMirMagP 3 5 0 0 *^ ^ ^ U * - F O 

- 7° s a -r - /i- 6 0 0 o M ff Jaa t tT ^ -5 o 

[0101] 

^/p-y'if ^gMirJaagp 3 5 0 0 *Mt^ 5 ^ * u Frt(D^*;i/-yeax-:7;i^ 6 0 0 

©Sirffiati. $lj»g|5 3 1 0 0 g#©7 ^ -b X.t° ->X - ^''^-X 3 0 8 {C t , fflA 

$nfc^*U * - Ftcfe^*;l'-7°Waf--:/;l'6 O o A^#fef § i: WKf L/cfglctf t-ti?. 50 
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t d * S o 

[0102] 

i^'/lz-ytSSSirMaSR 3 500 ti. ^^/-Fi ooOT^-bX^^U-^x-^-^-xs 

mf--y'ji 6 0 0 {c 3 tf - -r § o 

[0103] 

;]/ " 7° t K m « L T / - F 1 0 0 ^ t U * - F * » A L , t U A - F ft O 
;l/-7^gilf--y'';V 6 0 0^*iTOfe<Di:-r?)ffla?rtufeoTfT*9^a#lli^j£*T*3 

[0104] 

^'fV--fMW I p /•^^ >y FSMMagp 3 6 0 0 (i. wr^io ^i-fmm i p -y f 
fi L fc 1^ o iaa ^ tT a t o T' § o 

[0105] 

M t± . to A 3 -7 > F ^ ■§ ffl L fc ±i -a- a . I P T F 1^ X ^ 1 0 0 2 *5 J; tf * X h 

« « Ifl » 1 0 0 3 {C ft ^ n T § I P 7 F U X J; ;J^ X h * S J* O - 7° g a r 
- 7* 6 0 0 J; 0' i^" - T' y e a X - :^ ;!/ 8 0 0 i: it ip L . 51 ft k: / - F i o o 
<!i Hi ^1 a ft ^ ?f ^ 9 i6 S :^ -fe 4^ a U X 7 y X - v- 3 y % fig t" § o — ^ x S flj^ 
3V> F^SfflLfcJi^tt. ^nP.^iiJI^T§o 

[0106] 20 
^JkK. 7^'-{rXj}^Ui^x-^?^-X3 0 8tctSlfi$n§^'";l/-ysar-7;l/ 6 0 0^:7 
i'-trx$iJ»5t)S7:/U'^r-y3>'gax-:/;V7 0 oi:. ^';b-:/^y/^sax-^;i'8 

0 0 ^ O T J-X T i5J Bi§ 1- § o 
[0107] 

^ ;b - y W a f - - 7 ;b 6 0 0 a , ^ ;l/ - 7° JS "T S / - F l O O ^ sffi T § /£ to til t 

i^- - y T ±± -r » o ts f g ^ ^ ft ^ifi -r § X - 7 T- s o 0 8 ^ ® - f?ij ^ -r „ 

[0 1 0 8] 

* 0 c ^> -r j; 9 ^" - 7° « if X - 7 ;l/ 6 0 0 a . >y F 7 - ^ S M S n /£ 7 - F l 0 

0 \z -o xm^-^ ^ ^ f )^ - f ^mmr ^ fcib <D )i - fm'»\i- ^w-r ^ ^ )V - ^mm 

?ftffl7^-;i/F6 0 1 ^7i/-7il^ft«1-?.^^';i/-7ilftlfi7^-;l/F6 o 2 so 
^©^";V-7ao#«j»ll%ftlfif5 i^';y-7»*-5ai«p:ifttt7 -1- -;l/F 603a;. AH 

.ESP t^^ -D tc mm\^%^\mr ^ i p s e c cD«tg®a»j^fttt-r s i p s 

e c asyfttt7 ^ - F 6 0 4 . If. K ^ § IMi Bf # ffl v^ § 7 U X A ^ ft f § 7 

U X ft 7 f - ;!/ F 6 0 5 i: . i*'';!/ - 7 M f 5 7 - F i 0 0 ^ ^ gij f § If f B T 
?.*XF«^fttt-r-S*XF«ft»7')'-;VF 606 (606A~606B) t^mfi^ 

[0109] 

7 ^ -b X$iJlil^*7 7'J ^-:y 3 >Wa-r-7;l/ 7 0 0 tt. 7 - F 1 0 0 tc i^^b - 7 (D 
7-Fl 0 0A^fiJfflRrte^77U^-i^3>A^^S$nT 1^5*1^, 7-Fl OOtC^S 
^nT(/^§§77'J ^r-v- 3 ytC^^-r^ 7 ^-trXSiJffl)©fci6 tCfflV^ 5 WfSA^fttt^tlTl^ 40 

§ r - 7 T- § o 

[01 10] 

?3: *3 , * -f " 7 , 7 F 1 0 0 A> 7 ;^ - 7 ^-^ ?> © 7 -b X « L T CD ffi #t t" S 7 
7U^-->3>'fcJt^^SLT!/^§«^tt^S*fcO'e^§o 
[0111] 

77-fc:xfiii»«*77U':r-iy3ywax-7;v 7 0 0 (D - m^m Q ^^fnt o 

[01 12] 

*0lcS-rJ;^tc. 7^7-trXSiJ»>!^t^77uy->'3>'Wax-7;l/ 7 0 0{i. 9 i\^~f 
^<D7-Fl00lc*>PJ)K^nTt/^?.77U^->'3yA^fiJfflfS3i^-F##^ft«l*|-r§ 
,-j^_].§^;tSlfl7-i'-;VF 701 (701A. 701B) ^iiA§o ^7-FlOOfi, 50 
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§ g © W ^ ^ 3 o 

[01 13] 

, - 7° ;^ y e S -r - 8 0 0 -::> T IK Hi! -r ?. o ^ / - F 1 0 0 T , IP 
V 6 a -rJ t . I P >y h a ffl ^ * 9 fc 46 t a ^ § y - F 1 0 0 CD I P 7 F b X ^ a 
§ £^ S .fe § „ ^" ;l/ - 7° M T 2. § / - F 1 0 0 © I P 7 F b X a . i?' ;1/ - 7° # ip B# m 
^#L/•c§y-FlOO©4-^X^^,A^e>ICMP (internet Control M 
essage Protocol) Echo Request/Reply ^^^-yF© 
^ 0 0 tc j; 13 , 7 F U X © » ^ fT ^ 9 f § o c © <fc ^ tc, y ;y - 7° y > lo 

f- - 8 0 0 . # / - F *5 T X F « I P 7 F b X ^ » L T 11: fig r § 
t>©T'. ^cicfi. ^;U-7°lcB-rs^/-FlOO©*XF«i:IP7FUXi:©?^^S 

[0114] 

0 1 0 ^" ;b - y y > w a T- - 7" 8 o o © - ^ij ^ ^ -r o 

[0115] 

*EIlc^-r i 9 fc, 7- F^#S-r§*X Fi&^IS«t54-sX F«««7 

^■-;^F80 1 i;. 4-sXF«ilMl£$-<iT*y-Fl 00©I P7FbX^««-r§ I P 
7 FbXtSffl7'f-;L'F 8 0 2 I P7FbX©=fr^»!ll^tSlfl-r§W»!jai!|!ItSlfi7^' 
-;yF 802i:^#K.§o 20 
[01 16] 

y-Fi oo*^se»iLfcJi^:^irtc. y-Fi oo©i P7Fuxa^^§RiiEttA^* 

5o -SBtP^F*3^^:IP7F^X|&,ttgl5802 ^C^§ffl^nT^/^§IP7F^Xt3ilS 

/iM? ^3 n ^j: V ^ . W ?^ ffi PS ^ n 5 ^ -gr § o 

[0117] 

i:©=};'9^y-F(cWbI P^^'^-'yh^Klft-r^.ii^. y-Fl 00©I Pv6}MfP? ftu M 
S! g|5 3 0 5 a < 1 C M P Echo R e q u e s t / R e p 1 y '!r -y F © D t '9 IC 

J; 0 . X F «i p) 7 F p X © » )* ^ w fi ^ ^ ^' - 7° s a M a 35 3 0 2 tc a a -r 
o^n^SitT. ^^;y-7'gaj!aagi5 3 0 2©^';i'-:/i»fiMffS!Laa53 5 ooa. ip 

7FbX7b^aS$nTi/^§*r-7';l'*3j;t>"i^;l/-7'rt©aftK?iJffl-rs-t4^aUTf7 30 

[01 18] 

i^tc. SA-r-^'^-X3 0 9 lC|&lft$nTV^§. ■fe4^3.U-r-i'7V>'X-v'3>'9 0 0 

iCOt/^TlMiifSo -b4^aUX'('7V>'X-i^3>'900 a. I P s e ctc©^i:o/cji 
{f ^ It e> /i J6 fc W "T < t ft ^ ^ S a T ?. t © D s f^iJ ^ ti\ 7 - F 1 0 0 A i: y - F 

looBffflTiiia-rsii-a-^ y-FiooA;6^6y-FiooB:a^[R]©afis *3<fct;. y 
-Fi ooB*^6y-FiooA:^fpi©afS. w#c*ft. ^4iLTS^■t§i^:^SA■ife^ 

© T § o 

[01 19] 

011 lC.-t4^:iU'r'i'7y>'X-S/ 3^900© - j^lJ^^-To 40 
[0120] 

*0iC7j^-ri;dt. ■t:^^iUx'r7y>'x->'3y900 S. §-b4^rLiJx^'7y>'x- 
^> 3 >^iisij-r 5 s p I (-b 4- i u ^ ^ 4-s u i-iisij?) . mmft i p 7 f ux. )^ii$t7 

FbX. 7°nhr3;l'i:LTlSIIS5VMJBt^©Jg£. Bi#iEHi:UTF^>'XiK-h^- 
F j& 5 (i h y ;i/ ^ - F © ^ s Bf ^ 7 U X A . m ^ It . iS II 7 3 'j X A . IS liE 

a , a © n ffl PS ^ i: ^ # t? o 
[0121] 

* ^ ffi ffi TMi . ^ y - F 1 0 0 tc *3 1/> T -b i 'J T ^ 7 y X - 3 > 9 0 0 ^ it fig f 
StCfe/ci^s 3l{Hffl©-b^:iUf-'f7y>'X->'3y900^{tfi)c-r§^-&a^ jSiiTt;! 
P7FbXtca. g#©y-Fl 00©I P7FbX^. iMffl^fel F7FUXCa. af8 50 
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ffl * ^fe y - K O I P 7 F U- X ^ S S b , §:mm^i'¥f^t ?>^'^ii. 31 IS 7C I P 7 F b X 
fflfflffl^5feC[)IP7FUX^^^L. }lfl5feIF7FUXtCti. g#<D/-FlOO 

(D I ? 7 V ux^m^t 

[0122] 

s p I , ft ffl . S fS ffl . ;^ - 7°m a X - 7' 6 0 0 <D - •/MESU 

[0123] 

j-;^ ± . * n SI ® tens It § y - F 1 0 0 o § ftl ^ H o T Hfl L fc o 

[0124] 

tc . ^■MmmmK:isif f 7 - ^ i 1 0 s gi ^ n fc # y - f 1 0 0 rs , ^~ ;b 

1- § 0 

[0125] 

J-X T *5 T tt . I P s e c O S fig Sy i: b T A H ^ . ^ - F L T F ^ > X .t" - F ^ - 

F^&, |gE7;P3UXAi:LTSHA-l(Secure Hash Algorith 

m i:SHS (Secure Hash Standard) PIPS ISOfct 

rm^) ^m^^^m^^mich^f. mm-r^o i p s e ciiflossa. cnp.tpi?>n 

[0126] 

t. ^";^-:/;&iiS^^■r§^^cfflV^5S^D^^U*-Fi:^D2O0y■t'JA-F^fflV^T^' 
;b-7°(D^fej«. #ijn. mm. If SSfT=^ i: ^fT^ ^ o 

[0127] 

0 1 2 tc. ^" 71/ - 7° S if ® a 3 0 2 ;6Mt * -5 ^' ;1/ - 7° B if H ^ WI 3 0 2 0 ^ /t^ f o 
[0 1 2 8] 

ysafflffl^jii 3 0 2 0 ti. a-^f *M ^ U - F^^/- F 1 0 0 ©ES«#^' 

>'^7x-x2 0 6 Km XT ^ c t ^ ^ ^ fi' if K mi^ s n ^ o 

[0129] 

^UT. I 0 oommm»-cy^y :L~xmm&-3 1 Sit. y^rU^-FA^'tHSifi 

f*^y^7x-X206 K}fA^n/cui:^1t(±)-r§i:> IB1i«l*-i':/^7x-X206 
K li ;^ p> n T 5 L E D ^ -f F ^ * L . y U * - F ^ f U ffl S § d i: f ij ffl ^ C J=f 

[0130] 

L E D^-r F*^?f^*T^nfcC htc a-^f fiMll/i)^l*7 L /c c ^ 0 . ^ t U * - 

[0131] 

Sfc. IB'i^fi^*^ 7 x-X5!iag|5 3 18a. ^^'JA-F^^ttHtfcCt^y;!/-^ 

sasaiigp 3 0 2 'xaaf §0 ^cojifti^^ttT, ^/'yiz-T'wa^aagp 3 o 2 a. 
7° e a ffl II 1 0 0 0 % M -r 5 . 

[0132] 

i; t\ ;l/ - 7° W a ffi a 3 0 2 © »J ffll g|5 3 1 0 0 a . g # © 7 ^ "tr X 4^° U i> x - - 
X3 0 8 Eil«{*^y^^7x-Xfflaa53 1 8^^LT><^:UA-FWA^n/cy<* 
U * - F <t: fc 7 ^ -b X L . ;l/ - :/ g a x - 7* 6 0 0 © W * ^ « IS T § ( X x >y 7" 3 0 
2 1 ) o 
[0133] 

eiCT. ?> c y;l'-7'Waf--7;l/ 6 0 0 v^^-g-. ^"/b- 7" S ft b ^ t/> 
. f 55: . y - 7" 4 fig -r § B t W Iff t . SiJ » g|5 3 1 0 0 . ^ ;!/ - 7" ^ ^ 

mm^ 3 2 0 0 ic - f ^^mm 3 z I 0 ^ n ^ (xr>y^3 0 2 2) o 
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±i&mm 3 2 1 0 i^^jr ^ um^ 3 o zit. lan^f*^ ^ 7 x - x^aasp 3 1 s 

It # CD 7 ^7 -t X 4^ U r - - X 3 0 2 tc (J ft < . ^ 'J A - F # ft L fc if ^ . SO 

fflgp 3 1 0 0 It. ^ u * - K (c#ft-r 5 S A-A^#iP L cfc a t LT v^^S Wif 

L . ;l/ - 7° # i)P » a g|5 3 3 0 0 ic ^' fl-frntamms 3 1 0 ^ ff -li- (X r >y 7 3 0 

2 3) . - 7° # ijP ffl a 7 f i: , X f- Zf 3 0 2 7 icMtS o 

[0134] 

^ ^ U A - F fc a S5 < , g # CO 7 ^7 -tr X 4-° 'J v- X - ^ ^ - X 3 0 2 {± # L /£ if -a- . $0 

» gI5 3 1 0 0 a . g # K fC ;!/ - 7° M L T (/^ § S a d ^ ^ U * - F IS A ^ n /c C 

i:tc<kD, ^;i--:^mm.mm^n^jio ^(D tmmL. ^'fi-ymmmmi^3 4 o o ic^'ji 10 

-y^iJS!ia3 4 lO^R^^^-y: (Xx>>73 0 2 6) . ~ m^mMff t ^ t 
Xf->y7°3 0 2 TlCittJo 
[0135] 

H-&6.tcfcy;l/-7°ear-7;l/ 6 0 0 *^#ft-rSJi^ti. Sijfflig|53 1 0 0 fi, ^-f, 7 
i7-tX4-°U>'T'-^'^-X3 0 2rt©^';l/-7'gax-7;i'6 0 0 i:^^'J*-Frtoi^ 
;b-7gax-7;l' 6 0 0 t (D ^ - ^mm"? ^ itmt ^ (Xr -y 7 3 0 2 4 ) o 

[0136] 

ccT. mmt'^mi^-u&tiiS. ;^ ^ u a - f o ^■yv- 7tf fg^Mff r s saa^iT^s: 3 o 

||J »T L . - 7 It « M if ffl a gP 3 5 0 0 ^" ;1/ - 7 ti f S M »T ffi a 3 5 l 0 t L T 7 ^ 

-b X U r - - X 3 0 2 rt © i'" - 76 a f- - 7 ;l' 6 0 0 ^ ;< t U :^ - F K n if - 20 
t ^mm^n^j:t>'^ (Xr>yy3 0 2 5) . ^^MSaa*^'^7-r§i:> Xx-y7'3 0 2 7tc 
It?. 
[0137] 

X f- -y 7° 3 0 2 4 (C T . M^f^m^i-^rcM^. itfiJ l» g|5 3 1 0 0 . P fc ^ 'J ;^ - 
F A^' If A ? n fc i *IJ ir L . ^ O t * X X ^y 7 3 0 2 7 (C f t? o 
[0138] 

ijs: K . ^' ;b - 7 3; fiic M a 1 2 0 0 . ;i/ - 7 # in sa a 1 3 0 0 . ^ ;l' - 7" it ffi a 1 6 0 
0 . yi- - 7 if M if ffi a 1 5 0 0 o # Hi ^ -r s c 

[0139] 

^~;P-73£fiScMa 3 2 1 0 (Dffla#)li^0 1 3 fC^-To 30 
[0140] 

ftij»iip 3 1 0 0 c> ®aifm©Ji^;&Sit § i: . i'';!^- :/^^®aa5 3 2 0 0 ^^'/i/- 

7a ^ Si IS L (Xx -y 73 2 1 1 ) . ^~;V-7^i6giJ-r §/ci6«^";l/-^iiSiJ?^^«L 
(Xx-y 73 2 1 2) . |f.iiE-B|^^-Fi:LT|!:E (AH) >&gJi?L (Xx-y 73 2 1 
3) . 7 )V d V X L t L r S H A - I ^m^t ^ (Xx>yy3 2 14) o 
[0141] 

^LT. ^n^"n^. if;!/- 7iltSlfl7 ^ F 6 0 2 . 7iSSiJ7+Stt 7 ^ F 

6 0 1. I P s e c a gij « 7 - ;]/ F 6 0 4 , 7 3 'J X A Ifl 7 f - ^l' F 6 0 5 « 
mi^. ^' )V-'f'emT-f )l 6 0 0 ^i'^&t ^ (Xx>y 73 2 1 5) o ^UT. :^-^XF^l 
+Slft7-^-;l/F 606 lCg7-Fl 00(D:J-vXF«;&SSt-§ (XT>yy32 1 6) „ 40 
[0142] 

;i/ - 7 e a X - 7 ;b 6 0 0 7b"i 5% fig -r § t . 71/ - 7 §1 fig ffi a gP 3 2 0 0 a . * f- - 7 ;l/ 
^^t'J*-FfC3tf--r52;±i^i:, g7-Fl 00©7i7-txt°U>'x-^-^-X30 
8 IB 'K L ( X T- ■y 7 3 2 1 7 . 3 2 1 8 ) . ffl a I* 7 b ft o i; ^ $|J » 3 1 0 0 t » 

[0143] 

, ;i/ - 7° # j!)D a 3 3 1 0 o sa a # Hi % H 1 4 ^ -r . 

[0144] 

$ijwgp 3 1 0 0 c.MaM^!fe©i§^^stt § i: > ^^'^b-T'^ipsaagp 3 3 0 0 {i. u 

7!3-F±©y;l'-7°Waf--7;l/ 600©4->XF^t&ffl7^'-;l'F 606tCg/-Fl 0 50 
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0 h ^^iiijp L (Xx >y 7° 3 3 1 1 ) . ^ ^ V - \' ±(0 if )l- ^fiMT - 7 /I 6 

0 0^g#(307^-tX;J-°';i'x-^'-^-X3 0 8rttCf31tf§ (. X 7- yf 3 3 1 2) o 
[0145] 

8 0 0 ^#^1- § i: tc. ^71/ - K S L T ^ 

3 3 1 3 ) o 
[0146] 

^ LT. 41: i?©x X -y :/t:-fBS^ nfc ^•;b-7°Bax- 6 0 0 « ?g *5 J; i'" ;b - 

-f ^ y /^wmt- 8 0 0 (DW^ t ^ m^-' . §y-Fi oo^itoi Ps e c miticf%i^ 
;s-ir4^aUx'r7y->x-iy3y9oo^^^L (x-r^y^ss 1 4) . mmtimjhrz 
c t^um^s 1 oolcate-rsc 

[0147] 

# )IH ^ /T^ 1- o 
[0148] 

iff^y/^jiafflaST 1 OTtt, ^;^-7°®^^[!x-■7;^ 6 0 0rt^D*X^€7^'-;^F6 

0 6 izmm-^ nxl^^^t^X h ^ tKMK. ICMP Echo Request / R 
e p 1 yJCj;D I PTKPX%IKf#L (Xr-y7^3 7 1 2) , ^-/b-l/^ty^^eilx-^ 

/ysootc. 3r^x^«c:■i:tc^R#LrcIP7F^'X*s»•r§ (XT->yy37i3)o 

[0149] 

±fSOXx-y7°T'B{t#L/£. ^7";i.-y;^«fig-r§§/-Fl 0 0® I PTFbXtCjtLT 
iDAnvyF^^fiScL (Xx-y7'3 7 1 4) . ^tl^mSt^ (X7"-y^3 7 1 5) o 
[0150] 

tLX . i^©*XF«,^St*^tHLT. Xf-'y7°l 3 3 0;6^e>l 3 6 0 (D m ^ 'Mt ( 

XT'y7'3 3 16) o CdT. M*^tHL/cd^XF«,A'=lil#©/^Xh^,«Ji^a. MfeffiS 
^ It *o -f'^ O * X F « ^ ii tti t ( X X -y y 3 7 1 1 ) „ ^ L T . ^" - ^ S S f" - 7' 
6 0 0 © .t^ X F « *S ll^ 7 f - ;l/ F 6 0 6 t $ n T § , lii # CD 7 - F 1 0 0 ^ Pt < 
±T£D/-FJi:MLTJX±'^)S!ia^^^§i: (X-f-y7'3 7l7) . <>";l'-7°rt^®ff^ 

y^aftiSELa i 3 3 o^^^^o 

[01 51] 

a ± , ^" ;b - 7° # ip ffi il 3 3 1 0 ic-oh^rmmLtca 

[0152] 

ic, i^' - 7° S SM a 3 4 1 0 o i/^ T . HI 6 ^ ffl T H f 5 o 
[0153] 

|ij W 3 1 0 0 M a fffl o fg ?Tx § 5 i: . ^" }i-y°m flJi M Jl g|5 3 4 O O . / - F 

1 0 0 O - y W il T - 7 ;l/ 6 0 0 O * X F ^ t§ ffl 6 0 6 (C @ IS ? n T S * X F 
«,^)i«SlcM^?^tH-r (Xf-^y^SS 1 1) o 

[0154] 

clilT-. M^tiJLfc*X F^A^S>-^X F^i:-atrc»^«. O * X F « ^ ^ W f . 
[0155] 

fl^ffi Lfc:f^x F^A-^i^x F« ^;-SStL^i^^^ti> ^ ;F - :/ > «il r - :^ 8 o 

0A^P.f!*^!JdL/cJ^XF«lC*tlSf5I PTFUX^^^rS (X-r-y:/3 3 1 2) o J-X 
ft. ilcDIP7FbX^tt*LfeIP7FbXi:iif^"o 
[0156] 

i^tc. jl{t5tIP7FbX%1t^L/-cIP7FUXtLfciiaM3vyF^{lFfiStt (Xx-y 

7° 3 3 1 3) . ^(omm9t I p T ¥ ux^^t ^ y - 1 0 0 Kmmt ^ (x-r-yyss 

14). 
[0157] 

^'-ji-fmmmm^3 4 0 oti. g*cDfswr§^*;u-:/^>'/^ear-7'/i/8 0 0*^5. 

«±©#ft^tT^ /c^^ Lfc I P 7 Kl^XtC-f^fe§x-:Jf^ffl^-r§ (Xx>y :/3 3 1 
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5) o 

[0158] 

i^tC. S Ar-^'^-XS 0 giCHaH^nTV^S-fe + n'Jr^TVi^X-J/ayg 0 OA^ 

7-^7 yi/x-^> 3^900^ id lt-r§ (xr'y:/33 i 6) o 

[0 1 5 9] 

Sfc. tt^LfcI P7F^Xi:l|Ll^iMfH^I P7Kl^X^|#0-b^:xU^^'7y>'X- 
[0160] 

^'";y-:/iifl5iMSgP3 4 o oti. ^/';i/-yea7^-7;V6 o otgssnTv^5^T©>t^ 

XF^IC^LT. ti±OXx-y7°3 3 1 l~Xx-yy3 3 1 1 (O M'ii L tz'ik (Xx 

•y 3 1 8) . g#7bMa§-r§<>*;l/-yWiIx-:/;l'6 0 O^I'iJKL (Xr-y:/3 3 1 

9) . )v-fm.m.M^ 2, 1 ^UT. $ijffl)gi53 1 0 o\zmm^7 ^mfG 

[0161] 

tc . ± IB CD ^" - 7° # in Sfl sj! 3 3 1 0 1*1 o ;i/ - 7" 1*1 « iff ^ y 31 5;p M ai 3 7 1 0 © 

Xx-y^S? 1 5:ioJ:y'^~;l'-yilii$aJ13 3 1 0OXx>y7°3 3 1 4K*5V^T}M€$n 
fcs ^n^'ninAnvy F *5 J; «iJ n -e y F ^ Sff L fc © ^ / - F i o OfflJ-pcffl 
ii ^ j-x T iS 0J! -r § o 

[0162] 

I p /■^'Jr >y h gfflsaagp 3 6 0 0 j; o TfT^^n. ^'/y-ysij 

»I P/^^'yF§{I5ail36 1 Q t^S^o HI 7fC*®il©¥-Ili*^fo 
[0163] 

^';V-7°^1ifiScr5§y-Fl 0 0 a. ?^-y h7-^^>^7x-XSffffiagP3 1 OK 

^\-x ^ )V~-fum I ? '^'T V ^^mr ^ t. iPSflgP3i4. TCP/uDP^fs 
%mni 3 1 5 ^gT ^*;i/-7"waffliigi3 3020 ^)\'-zfmn I P ^■^'ir -y F §{iMagP 3 
6 0 o-vSitiS-To 
[0164] 

S« t/c^'";l/-7'SiJ» I P /^^r -y FSfi5!iag|5 3 6 0 0 a. 3 v> F IS SO ? Ift 1 0 0 
1 ictS^g^nri^S n FligiJ?*^'inAT* § *^SA^^5*iS-r 5 (Xx-y :/3 6 1 1 ) 

[0165] 

X X -y 7° 3 6 1 1 -e n -7 > F li so ? io A ^ /T^ T (00) h e x T * o ^ ^ . fr^^^ 
. iPAri V y F ^Sfl b/c«^. Xx 'y y 3 6 1 2 it ^ . ;V - :/ $ij » I P -Jr -y F <0 
*XF«1 003lcgS$nTl^?.inA3-x'>F^}^fflLTt/c/-Fl 00^D5^XFS 
^^;P--/1ISir-7;P 6 0 0 tS«-r§ (Xx'y^3 6 i 2) „ 
[0166] 

^LT. y;l/--/;^>'/^gaf--7^;l'800lC> toA3TyF^}lif6fbTt/c/-Fl0 
0 04-^X F t . ^;l/-:/$lJfflI I P /-^-Ir -y F O I P 7 F bX+SttgP 1 0 0 2 ICKS? tXT 
V>;S^£DI P7FbXfc^S@-r§ (Xf--y'/3 6 1 3) o 
[0167] 

tc . ;i/ ■- 7° *ij tP I p -y -y F s « » a SB 3 6 0 0 a . }i ft ffl . -r ^ ^ . g # © y - 

F 1 0 0 *^ Ap A n x- y F ^ )M ffi L T t fc iff M ijp A L fc y - F 1 0 0 7? ^ O ft . *3 J; 
t>\ Sftffl. •r**^^. ioAnTyF^jMflLT^/cfrffitcipAL/cy-FlOOA^&g 
#©y"Fl Q07?[pIO3ifI. §^©-b4^aUf-'r7y>'X-v'3>'9 0 0^fF/?!t-rSffl 
a^tT^a (X-r>y 7°3614. 3615)c 
[0168] 

Xx <y :/3 6 1 i t n v y FliSiJ^A^^flJi^^^T ( o i ) h e x Tfe ^ fc^^. -r 
^^5-^. vy F^Sfi bfc^^> ^7*;U-ySiJ» I P ^^'r >y FSfflMagP 3 6 0 0 « 

. X-r^y7'36 16tCjltyo 
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[0169] 

c c ^';i-z^mm I p ^^"r-y hSfflsaagp 3 e o o s a x-^-^-x 3 0 9 tcia 

Ox-^^gM 000©I P7FUX1 0 0 2 ic^mt nx^^?> I P7 F X ^ L ft 

( X r 'y 7° 3 6 1 6 ) o 

. S ft L /c S SIS 3 -7 y F © I P 7 F b X 1 0 0 2 i: H L F 7 F 1^ X ^ 5 x - 

^ ^ ;b - 7V y S a 7 - 7* ^l' 8 0 0 b iij It L ( X 7 -y 7° 3 6 1 7 ) . S It L fcli SJJ 

3 V > F O 4-^ X F «i 1 0 0 3 (CIS $ tl T J}-> X F i: 9 Lt/^ X F i& ^ . i 7 - F 1 

oo±oi^;i/-yeaT-7;l/ 600 *^p>im-r§ (Xx>y:/36i8)o lo 

[0170] 

^' ;l' - 7° O ^ T © 7 - F 1 0 0 t *5 T J-)i ± ? )i ^ ^ d i: (c j; »5 . ^ T <D 7 - F 
1 0 0*MSWT?>^S^tfc7-Fl 0 0tC^>tJSf§-fe4^a'J7-i'7yv'X->'H>'9 0 0 

^iiJPtL. S/c. i'";!/- 7°l^a!7- 7*;b 6 0 0 ^ . » M t fc 7 - F 1 0 0 © t» ffi ^ 
T 5o 
[0171] 

iX±0 J: 9 K LT. ^/^Iz-y^Wfig-r § 7 - F 1 0 0 (c if ffi iP A S tt H i: o /c S S 
jb^^ofc®^, aK7- F 1 0 o*^c.3ifi^n§^~ i P/^^<y F^^ftLfcffl 
O 7 - F 1 0 0 *3 T . i # O ffi Wr 5 -b 4^ i U 7 f 7 y v- X - 1/ a y *3 j; If ;l/ - 7° 

ma7-7;y 6 0 0 :6^'Mir^ n§o 20 

[0172] 

^" ;!/-:/»]» I P /■^^ >y F §fSfflil%»iB^ Lfc 

[0173] 

7°Sil®ag|5 3 0 2 cfc § , - ^ (D 4 fig . #iP. liiJi'S: if © ^'^Iz- 

[0174] 

C , ± E © # T 4 Sic ^ n !S ?I ^ n T V> § ^' ^l/ - y > 7 7" 'J -^r - 3 > ^ 5 IC fij 

ffl -r § ^ Hi ^ ix T Bn -r 5 o 

[0175] 

7 y U 7 - >- 3 > © fij ffl . I P A 7 >7 F ^ 5 l/^ t S f § c: ^ <fc o T If S n § o t 30 

■r\ O I P 7 -y F © }i S ft -3 T m T § o 
[0176] 

tuaoj;^!^. I P s e ciiffl^tf9/cJ6C^i6^^0jtSM*-t4=-:iU7f7y>'X->' 

3 y 9 0 0 a> yeaffiJi 3 0 2 {cfcv^T, m tc ^j: )\/ - f m 1^ ^ y/^A'^jiijp ? n 

^Klc4fiSt$n§of*ti^. ^;l/-7'tc|iLTl^§ffiti^ I PsecfflffitiBlHe 
[0177] 

I P 7 -y F ^ ffl f § S fc t» V I P s e c 32i ffl ffl a g|5 3 0 6 a . {f f § I P '^ 7 
cDiMft^IP7F^X^4^-tC> SA7-^'^-X3 0 9?r1^^L. 5^lS1-SIP7Fb 
XA^JMfflf^I P7F^Xi;LT«l^^tlTV^?>-b4^a';7^7yi>x-J/3y900^a 40 
HitSo ffl(±lLfc-t4^a';r'f7y>'X-i/3 >9 0 OlcaS^nTV^^'IfjStcStSt. 

IPsecSaa^tfl/^. IPv6jMemffla307;SrlTV^. T^-yF7-^'-ry^7x-X 
fH » a ^ /]■ L T . ffl 5fe 7 - F (C I P A 7 -y h ^ )M fB t" § o 

[0178] 

K > I P 7 -y F § € © 5a a ^ li ^ H 1 8 ^ ffl T iJ T 5 o 
[0179] 

^>y F7-^-ry^7x-XSflS!iagP3 1 0^/^LT I P/'?7-y h^&Sffl-T^t^ 1 P 
v6Sffitij5!Lagi53 1 iti. I PveSftMSfia^rfft/^ (X7-yy40 1 0) . §{IL/c 
IP-^-y^rtO. AH^-y^<0WSi^7x'y^'-r?> (X7>y:/4 0 2 0) o 
[0180] 50 
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gflt/cl P-\\y^|*|fCAH^-y^40 1 & ^ t mm L Tc rj: ^ H ^ ^ (D I PA-^-yh;5r 
I P s e c SflMSSP 3 1 ZlC^I'fMto 
[0181] 

^ifm-^tc I p s e c ^m^m^ 3 i zit. msE-r § i p s e c sffiffia 3120 ^^tv^ 

(Xx>y:^4030) . I Pv6Sfl^t5!LSg|5 3 1 3 1CI P/^'^-yb^gtJig-ro 
[0 1 8 2] 

^LT. I P V 6SftftfflaSP3 1 3ti. I Pv 6SM»ffla3 1 3 O^ffV^ (Xx-yT" 
4 0 4 0) , ffla%ll7T?.o 
[0183] 

:&*3. dCTs IPv6S{BmMag|53 13tt. IPv6SliftfflJI3130^l«^/cS 

fSL/c>'^'>->yb^TCP/UDPSfflffl,ilg|53 1 diC^ifmto Stta^o/cTCP/UD 

p SM^asP 3 1 5 fi. t> fc/^'^r .y h ©sfMffia^ffi/^. 7yu-y-i/3y3o i 

[0184] 

X X >y y 4 0 2 0 T% ± tH O >y ^ ^ i: flj Sir L ^ -& . ^ CD I P ^ >y h ^ gfl 7 ^ 

-fe X m » 3 1 6 s It ?g -r o 

[0185] 

SlflU-D tc^mr f -txmm^S l eti. ^nAM CMP/-^^-yhT-*§A^5*^f=-x-y^ 
r ^ (X-T<y 7^4050) o 
[0186] 

X -r -y 7" 4 0 5 OV. ^isbfc I P /^^ y h I C M P 'y h "?? § i: f ij It ^ n fc 4 
e-tf. ^OSfl Pv6Sffitt®ag|53 1 3JC§tt«L. I Pv6§MtSffla3 1 30?: 

( X X -y 7° 4 0 4 0 ) . » a «r H 7 f 5 o 
[0187] 

X r -y 7° 4 0 5 0 T- . I C M P ^ -y h (± ^ U> W K $ n ^ C. a\ S fH 7 -iz X ftij » 

3 1 6 (± . ^ (D I p ^ -y h ^ y /i- - 7°^^ © y - F 1 0 0 c. j^i ffl ? n ;i/ - -fn I 

P <y h T- fe § i: ¥iJiff t , m M T § /I' - 7°^1- I P -ir >y h §{8 Ma 3 1 6 O^n^^ ( 
Xr'y7°4 0 6 0) . ffia%*l7-r§o 
[0188] 

. ± IS © I p s e c ffi a 3 1 2 0 K-Di^^rmmt ^ o 

[0189] 

IPsecmaSI33 12a. AH'N-y^'%Wr§IP/^^'yh^S{fr§i:> IP'x-y^''" 
«iift7ClP7FPX. 3ifI^fcIP7FPX. AH^-y^^"40 1^cSS^nTV^§SPI 
A^~-g{-r5-b4^a'Jr'i'7yi>'X-i/a ^9 0 O^S Ar-^'^-X3 0 9 iP^i^liit ^ 

[0190] 

^LT. aaLfc-b + iUx^-7yi^x-iy3y9ooiciait$nTi^§isiEit^fflv^T 

Sflt/c I P/'^'^-y F©i[|iE1flS;&#«L, AH'\>y^4 0 1 lC^S?nTV>§gfiEW« 
i: tk K -r § o 

[0191] 

P5#*'!-aLTl^titi\ Sff Lfc I P/'^y-y F ^ ^'^l^ - ^ R ^ IE S ^ X - F 1 0 0 
5©jM{ti:*^%L, I Pv6Sft»fflaSP3 1 SlC^ilrmto ^LT. -gjL^V^S^tt 

. ^ n I p "J hmmt ^ o 

[0192] 

iX ± I P s e c M a 3 1 2 0 K-Oh^r mm Lfco 
[0193] 

S{M7i'-bX$!JSPSP3 1 6lcj;§i^;l'-7'^/^^-yFS:M5!ia3 1 OOlcov^TiJ 

mt^o 

[0194] 

W±© ck 9 fc. *SISgJgK8tcfc'V>T«. ^;V-7'tcS-r § / - F 1 0 0 ^;V-y^<D 
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Pv6SffflMMag|53 1 MC*5V^T. S^I P/•?'^^vhA^ I Pv6Sffl^Mag|5 3 1 3 
. TCP/UDP§{iS!iag|5 3 1 S^lfYLXT-fV^-i^aySO I izMMt ^ C t ^ m 

Pt L T t.^ ?, o 
[0195] 

Lti'L . ^MMBWJCfsi-^ra^ / - H 1 0 0 j; -3 T s ^ O 7 7° U ^ - 3 

y © ffl ?r . ;!/ - 7° ^ O / - F 1 0 0 BflM L T l/^ 5 O 5 o lu 34 L /c J; ^ , 
COJ;9S7 7°Uy->'3>^Wr§y-Fl 00 7:/u^->^3>c:-~to.t^-F» 

7 -b X©JfflIM*7 y-'> 3 ^WUr-:/^!^ 7 0 0 ic^ol/^TWa L Tl^ §0 10 
[0196] 

T'^O 7 - F 1 0 0 P. A H'N <y Wr § I P /-^ <v F ^ S {S L fc^- ^ . ^© 
I P y F^a^-r§c:i:A^T-t^V>fc:46^ ^tlti I P s e caflSHaglJS 1 2ti:*5V> 

r mmt ^ c t 9€ic mm L fc o 

[0197] 

;l/ - 7° 51- I P ^ -y F S ff? 5a ai 3 1 6 0 tt . ;l/ - 7° ^t- © / - F 1 0 0 a # © I P 
7 F ^ S: {f L /c PS ic . ^" ;l/ - 7" 51- O 7 - F 1 0 0 C If ft L T § 7 7° U ^ - a > 

mm I p/^^-y F^iia-r?)ffia-es§o 

[0198] 

^^'^l-- 7°51- I P -y F gfflffia 3 1 6 0 -ett. I P /^'^ -y F ^S:lt8?c /c 7 - F 1 0 0 20 

^^;l/-:/5'^©7-Fl0 0tc>i>fLf5re-9--lfXS|g^ffi#tt:S:V^«^. 7^-lrXX^ 
-^y"- t LrmmLfcl P -y h^mnTzKMLXmiEL. Sfltfcl P/'^'^-yF 
(i«S1-§= cnicnh. ^-;F-7°54(D7- F 1 0 0 tcStLTM?) A^©-9--l^"X«tg^Ji 

7i7irXSfiJffl]>r^ii7 7°iJ^-->3>eax-7';^7 GOWSStct^e-^T. 
7 -f V ^ - a > ^ mP.t ^ ^ '> Um L X ^ o 
[0199] 

j-:^ T ^ © # jii ^ El 1 9 % ffl T 0^ -r ?) o 

[ 0 2 0 0 ] 

^mr ^ "txmm^ 3 i e (i. i p v e ^mmmmm 3 1 1 i c m p -y f 

h> I P/-?^«y F;&^«LfctI^. I P/'^^-y FA^5R3JofcjMfi5fe>t°- FS^i:7^ 30 

^ xMrnMrnrfv ^-iy 3 y'em7--f 7 0 0 ic^m-s tixi.^ ^t°- hmn 7 0 i t 

© ^ ff % 9 ( X X >y 7" 3 1 6 1 ) o 
[ 0 2 0 1 ] 

7 ^7 -fe X ftij iP >rt ^ 7 7° U ^ - 3 > S a 7 - 7* 7 0 Ota. ^" ;l' - ^ 5^ © 7 - F ^0 ffl 

nj ? tx T 5 7 7° U ^ - V 3 > © .tx - F S ^ il SI $ n T § fc a* . 1^ t fc 

-it-ifxiiig^&g^Tcy-Fi 0 0 ic ^mx ^ ^ c 1 1 ^ . 

[ 0 2 0 2 ] 

il © If ^ , S {8 7 -fe X $ij ffll g|5 3 1 6 ii. S It Si o fc I P 'y F ^ I P v 6 'S IS ffl ffl 
gP 3 1 3 iCgltifi L. Slt^o fc IPv6 SftttMSgP 3 1 3 li. IPv6 SffltSSaa 3 
130^tT^^(Xx-yy3164)o 40 
[ 0 2 0 3 ] 

^LT. I P V BgftmffiagPS 1 3 3b^P.ffia?nfc I P^-^'^^y F^SttSJofcT CP/ 

UDPSfflffliIpP315tt. ^n^. 77°U^->'3>301tC§ltffi-ro 
[ 0 2 0 4 ] 

X 7 <y 7° 3 1 6 I IZ ts X . 4"° - F S ^1 - S b ^ 1^ if ^ S . fl ffi Tf' t - X « 
% l/^ /c s S {f 7 ^ -b X iliij » 3 1 6 a . 7 ^ -tr X x ^ - ^ 7 - ^ L T « Ifl L /c I P 
•y^yF^^fiittl P'MiU^S 0 i-b^ibmrnftKmrnL (Xr-y^S 1 62) . ^iULft I 
P y h Itmmr ^ (Xx<yy3 l 6 3) o 
[ 0 2 0 5 ] 

iX±. ^7";l.-yn I P -y FSfflMStCOl^TSiB^ Lfco 50 
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[ 0 2 0 6 ] 

C(D^^ ic. *^SSfl5ffilc*3V^T«. ^';l/-yrt©y-Fl OOraT-til P s e ciifl^ 

It . ;i ~ n (D / - ¥ I 0 0 1 iitmn (D I p ^ h K X ^ mm ^ n c t X' . 7 ^ 

■t xmmMSkT -/ V ^ - 3 ynm.f-fjX'i 0 0 t- s a t t s § 7 7° u - 3 yn 

if. - Y%^\zW-^X . 7 7° U ^ - >- 3 > f i: tc ^~ ;l/ - 7° 1*1 51- © 7 ^7 X it W ^ SJ » f § <l 

hff^x=^^o en i D . - o o 7 - F 1 0 0 *5 T . ;!/ - 7VcHt ?ij ffl -r § -y- - 1^ 

xatii:. I6t*-^fjffl-et §^^--iiX«|gi:%^gL. ^ n €n ^ © 7 ^ -b X ftOffli ^ rJ 16 

L T 5 o 
[ 0 2 0 7 ] 

ctntf > .t^-At^>y F 7-^^«fi!c-r§7 - FIDO *5 V^ T ft fig L ^l' 

-yit^^^t? I p s e c aft fCi£j.s^'it$g^. ftffl(D>< t u fi~ Y^i\\.x. %mmii^n 
stcfijffl-r5i:i:^itRi-r?)#7-F 1 0 oicsa^fSo 

[ 0 2 0 8 ] 

Ba^|J^n/c7- F 1 0 0 y;l/-7° terns LTV^Sfiloy- F 1 0 0 I P s e c ii« 
*^T:t?..J:9lC^ •t + aUX')'7y>'X->'3>9 0 0:&KS-r§i:i:fctC. ff^iiPAt 
/cili:%. ^';L'-7°tCPjTiiLTV^§ffi(D/-Fl OOtCjiftl-r^o 
[ 0 2 0 9 ] 

jitt^Slt/c7-F 1 0 Of*, ^n^'tl. »flilCilOALfc7-F 1 0 Oi:® I P s e cil 
fi*^Tt5j;^tc. •t4^iUxi'7V>'X-v'3y900?:S£-r?>o 
[0210] 

[021 1 ] 

g; /c, ^7" ;L. - 7° ^ ^ b W if -r 5 /c 46 ig^ S ^ 'If ffi ^ . ^ * U * - F i: fc IB It ft ^ 
^ L / - F (c 'J X § c ^ . *;j;t>\ ^' ;b - 7° © 3; . *3 <fc t>\ ^~ 

;^-yA^B©S^SMO^g?^^#7-F^c#^s^:^:^^JlLT^.^§o 

[0212] 

VX^a^s^^li^/c I C*-F^ffl,&tT^^';l/-y^«iS-r5Si5^ft^'tlfCi^J6-b-y 

I P s e cjifflnlHg*^ii^«^-e^§o 
[02 1 3 ] 

t fc. * * « « Ss T a . - o O / - F ic, ;^ - 7° rt O 7 - F © * ^ij fl! 7- t § 7 y U ^ - 
>'i:i^;l/-7':H07 - Y %Mmx ^ ^7 -7° - y -a ytA^^JiSSnTv^Sti'^feS 

atc^n€no7^-trx$ijffli;&i|]iT't5o 

[0214] 

Bl^gJcDlBlt^ft-efeD. &7-F3b^'^©-r>^7x-X^li^Tl^niJ. H<7)J;3*fB 

^ T j; i^o 

[0215] 

$ * * fiS ffj 81 « . I P s e c oi ft ^ ^ /c S * tf « €) IS S: ^ f B tt « f* -f' It * 

^ i: 0^ o fcl§S LfcAK il n tc H ti ?3: t/^ o ^ij A «\ # 7 - F A S ■ ^ « ^ . :i- 

■tf' A^' A -r § ct 9 L T J; t/^ „ 
[0216] 

If 0^ L C nic PS n ^ o ;^ (±\ § 7 - F A"! U -b F ^ > ^ ffi ^ > :i 
-^f7b'«^<;)U-b>yF>t^^y^:^'LT!i)5M^^la^W^^&■r§^§/^^^^^§J:^^cLTfej;l/^c 
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[0217] 

[02 1 8 ] 
[0219] 

ji ffl t § o 10 
[ 0 2 2 0 ] 

/- FAA^Sy- F F T- ^" - T' *3 T . fij ffl # ^ JS ?iJ ffl T t § / - Y^Umt^^ 

■:r^^}i-f(D%m^im\t'D\^x. 0 2o*^p.H3 i;&#R8LittBJ?-r^o 

[ 0 2 2 1 ] 

H 2 0 . * Bj! ^ a Ifl L /c ^6 ^- 7 h 7 - ^7 . S O H O H -3 /c X * - :t 7 ^' X '7 
hV-i'. ;r7^X©7D7^--y F7-<^*'f-tai:T§<t9^D-A;L'^:t-'y F7-i7(7) 

- « « ^ ij^ -r o * 18 Bil T tt . T . ^ C *5 1/^ T * ft 0i3 ?r ji ffl L /c if # ^ fiJ t L T Bi§ 
■r5o^Srt^^>yh7-i7a^^i^£D/-Fl 05 (1 05A, B). 1 06 (1 06C~ 

F) . fij^a'*^ ^y>>~^x7n>^if©*««ii. 7^ 1/ H'^ lf7^"3}-;5; HO A V «f§. -fe 20 

&^ t-r^o *^><yF7-^'{i. y-Fio5. 10 6. ^ ^ t)^ M ^ ^ ^ - 7.mm<D m 

y-Fl 0 5. 1 06 *^?)OS{^. ^§l^tiffly-Fl05. lOB'NO^f-l^XJi^^ 
[ 0 2 2 2 ] 

sfc. cin P. aso y - F 1 0 5 . i o e ±iEo^sfiffjffijca-^'t y^ttao ^~ 

;l/ - 7 a 6 0 Z ^m^'tc I P s e c Ji if :^)'^ pT fi^ * S A 9 0 0 & / - F ^12 32 5 tl . ^' ;!/ 

- yPBldffifl a. lulB ^^'^V- 6 0 2 ^ffll/^fc I P s e c 31 « X S « SI t ^ § o 

Ji^Ts F i o 7 i:i¥.S^'o ^i'- F i o 7 A^«^^n§ i 

,;l'-F^";^-yi07^«/S-r§^T©7-Fl 05. 1 06 K43l^T, ^";l/-7'7^' 30 
-trXx-^-<-X3 0 8±0^~;l'-7'«ax-7;l'6 0 OStfS Ax-:J?-<-X3 0 9± 
tc;V-F^";V-yi 070^7 - Fl 05. 1 0 6 KM t ^mmfS S A 9 0 ORlfSmm 
S A 9 0 0 A^»£$ti§o n*6. ;]/- F ^■;l^-^tc43lt5 ^^;I/-7Hfflff 

f y 11 -r S I P s e c ii IB {± . 3 D E S i 5 Bf ^1 ft ^ 5i ffl H § o 
[ 0 2 2 3 ] 

/ - ¥ tHi ^ ^ :i - ^' y ^ y X - 7. mmK ^ . ^■yF7-^«S^ 
-OtC;*:giJ-r §o F 1 0 5 (i> P CA^'«^§-f'>^f7x-X^illg. ff ij ^ '4l- 

F7-^7>&«fiic•r§y-F^DJ^^XF«-'K*^a^T'#§x^x7^^. iC^A^A^nj 

tl* + ->-j^-F^«x.§y-FT*fe§o unoy-Fi 0 6(iy-FA^'**«x.§«tg^ 
sf'^t-5fc46©«{gii©-ry^7x-x^<i^fcy-FTfe§o ^-©y-F i o sicm 40 
s-r5«g§i;LTtt. PC. xb-e. mmmm V =1 y ^ ^ w.^ L X ^ f) . H20T-ay 

-FA 1 0 5Ai:y-FB 1 05B^^-£Dy-Fl 0 5tL. m =. (D y h "7 ~ ^ Mm 

*J/EL, ia20 1:-ay-FC l 06C:6^e.y-FF 1 06F?:l|i:cDy-Fi:LTl/^So 
H 2 1 lzm-(D / ~ ¥ 1 0 5 O M - F 7 X 7 « fiK ^ .t's t" o 
[ 0 2 2 4 ] 

y - F 1 0 5 §-oi.:^±oy - Fa^iStiSP 2 0 2 . ^y^ «' x7 n y -e^nif . <?ij 
K.«?^^satg. u&'smmm. ^ -^-rmmm^m^mm^. f 7-^ a - f 2 o 5 

. ia*^tBg|5St>'^>y F7-^A- F^$iJffll-rs:^n-fe-y^t2 0 0. -/u-t y ^X^ht 
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X-^^-X3 0 8Rt>'S Ax-^^-X3 0 9 ^siUt ^ ^ 0 2 0 1 . a. - ^ y 
^mmt ^f- At] y ^ y 2 O 9. /^rU*-F2 0 7l¥0-Yy^7x-X 

^ i§iP^t ^ B'WMW ^ y ^ y X. ■- :^ 2 0 6. sifctie.^sint-^v'XxA^^xz 0 3*^ 

•^xTS/Sti. lufHS-©/-F10 5O^N-F'i'x7«figA^^^ rL--ifVy^7x-X 

(D^kicmm-r^'f-^tiit]4y^yx.-x^2 0 8Stfx-^A:ti-i'>^7x-xgP2 0 

9 A"! o 
[ 0 2 2 5 ] 

1112 OtC||-©y-F 1 0 5 (DVy F7x7«fi!t^^N-ro 

^--yF7-^'^/>LT^^~;l^-7°«),g1ig§P^-e-9--exii«-r§-OJ;^±^7:/U';r-->3 
yT'D^^ASOl. iif|;&1I|gif?.TCP/UDP3l{BMag|5 303. IPjiMg|5 30 

4 . :t- -y F 7 - ^ * - F ^ $-iJ IB -r § 7^ -y h 7 - ^' -f y ^ 7 X - X }1 ft Sft il 3 1 7 . ^7- >y 
F7-i7Yy^7x-XSfSmJ'l!Kl5 3 1 0, I PSfriSPS 1 1. TCP/UDPSfUffiSy 
g|5 315. IPsec«i-t: + ^UT-'('7y->x-->3>(lXTSA) OOO^BS-TSS 
Ar-^'^-XS 0 9. ^';P-7°afl^*SITS/ca6(cfiJffl-rs^^-y F7-i7^ig§tc^f-r 
57^-bX»Jffl!^cM■rS1ffSS:t>•^7";^-y■|f|g;S:g^l-r§7^^2X.t^U->x-^-<-X3 

0 8. ^^•;i/-:/sa^s5^^';i/-:/eaS!iasP 3 0 2, fais«i*:^>^7x-x^ftijffliT 
Siaitifil^-r y 7 x-XSaag|5 3 i 8. St>*x-^a:^i'i'>'^'7x-Xg|5i:x-^f A:;'^ 
-fy^?7x-X0|3^fiJ»f^:i--tfVy^'7x-XSailg|3l 5 1 tt-'ShMf^t^o I PjM 
jSaP 304 a. TCP/UDPiIMMBf?gf5 303 A^fFligb/£Pseudo^-y^'A^?)I P 
^-y^'^f'FfiK-ri) I Pv63MfItuSaiIg[5 3 0 5, SA900C0^|5^|jl^SA900 *^aD 

5 ^ « I P s e c ® 1! ^ tT 9 I P s e c f, 1 M i'l! ;^[5 306, ;^;>yF7-^'l'>^7x 
- X }M ft ® if gl3 3 1 7^1 P y 7 h ^ ffi f I P V 6 31 fi ft ® a 3 0 7 IS /jg ^ tl . 

1 PSfilSPS 1 4ii. ^-y F7-^-Y>^7x-XSfflMai;$3 1 0;?j^e.SfSt/cI P/^ 
^ -y F >y ^ P - F ft i: S ft T - ^ ft © tt «^ , ^ -y ^" :t 7" -> a > © 5a il ^ tf 9 I 
PvegflButeaslls AH'N'y^. ESP'N'y^A^S^^^tCSAgOO^M^t. 
tSffi^i S V^ttS^Ma^ff 9 I P s e c SfflSaag|53 l 2 , a H^N-y E S P-A-y 
IfKV^ii^^c I P y F ^Sff -r ^ ^^^WW-r §Sff 7 ^'•bXSiJWgp 3 1 6 . I P 

>y ^"^ P s e u d o -\ >y K M ^ ^ ^ . T C P /U D P^MffifiaSSP 3 1 5 'xSftx-^ 

^mt I p V 6 s If ffi a gP 3 1 3 e> « IS f o 

[ 0 2 2 6 ] 

;b - 7 S a ffl a gP 3 0 2 , ± ii L /c ^ fig ffj SI tc IS -i' t . 71/ - F ;F - 7° 4 iS ® a 3 2 

0 0, # iO ^ ii 3 3 0 0 . (154 ® a 3 4 0 0 . « ffi M ff M a 3 5 0 0 . ;F - 7° 'ftfij tP I P 
/^^y-y FSffliaas 6 0 Otcta^r, a-lf;?)^^07^-bXfiJ»^SB5l<^Stt#tt§a 

-^f 7 -b xsoiisaa 2 1 0 0, Rrsi^ko) ^ ^ h "7 - m^f)' ^ (d-^ y ffimjcm 
t^=i-^y¥^nicMt^M^n^^y^}\^-^'smmm2 2oo^nott^o 

[ 0 2 2 7 ] 

/.^Xx-^'^-X 3 0 8 t LT. ^^';F-yWax-7;l/ 6 0 0 . 7 ^ -b X a 

-^f'gSx-y'^i'Z 0 0 1 . &tf'7^7-trX77U«af--7;b 2 0 0 3^iaH-r§o 
[ 0 2 2 8 ] 

S Ax-^^-X3 0 9 tLX . I P s e cafi^HHTS/cfeW^MliT?^. Sfl7?^« 
lcqsfi-rS}Mffl7c7 F bX. SfSK;7 F bXMlSO S A 9 0 0 ^iBK-TSo 

^i:©y-Fi 0Q(oyyh'yx7mi&tLri,i.. MlBS-ox-Fi 0 5C)y7F7x 

7SfiSc/6^e.s a--lf^y^?7x-X<D^&tC|iJffl-r5:i-^f~^>^7x-X iliij fP gp 1 5 1 t 
a-+P"7^-trXSiJfflig|5 2 1 0 0^K*3^v^/cS^fr?)o to XT, y;b-7°7^-bXr- 
^f-<;-X 1 2 0±lc7^-trXa--ifeaf--7;b 2 0 0 1 :?rSaBt^l^o 

02 2tC*fSB^;Sr3iffl-r§^t7^^;l'-7'lO8«fii(;^^fo 0T'«, 2-D(0^y^')l--f 
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1 0 8 ^ L T s o -9- :/ - 1 o 8 ii:t-^MmKmm-^- ^ ^ y ~ ¥ ^ i^' Ji- fit 

t/t*>OT'feDs ^-Oy-F 1 0 5*^P.a--tf~*^fficDy'-F 1 0 5. 1 0 6^?iJfflbfc 
7,^mmt ^m^. ::i-'>f Mt^f ^l^-f a 1 0 8 A^m&t ^ / - ¥ \ 0 5A 

. 10 5B. 1 0 6 c cD^^fijffl -e t s a-^f' B b 1 0 8 B ^««-r § y- 

F105A. 106D. 106ECDX*fiJJl-et§o:i--9-'B;^)'!/-FA10 5AcfcDy- 

F C 1 0 6 C 7 ^ -b X -r 5 -9- - X « ffl T t ^ o 
[ 0 2 2 9 ] 

>t^ - A * 'y F 7 - ^ *3 T . ;!/ - F -'P - ■/ 1 0 7 ± -9" 7' 71^ - ^ 1 0 8 ^ IS /£ t" § 
C t K J; D . W ^ 43 5i ^ ^ © 1?- 7 y ^l' - ^ P C . a^T =iy. liy'tt^^mm 

t^t. PC. r HfA>6x73>(DtaaK£i: §o iin t t 10 

. (D+f 7^" i: bT> t- U \£ t \£ t ^mf&t ^ C t ic X iQ . f,^BxHd~*^6 
e T :t ^ 1^ a9 -e t § X 7 3 > <D a ^ S T t ^ V ^ i: t, ^ ^ /i SiJ W Rl ^ S o 

[ 0 2 3 0 ] 

WT, c o9-7^'~;b--/ 1 0 8£DfflS7?ffi. Rt>'iift¥J«^ia 2 3 3 l^ffH^Tpl 

023 tt. -OCDX-FIOS. 106(Cfett5^^-yF7-i'gMB#O37x-X^7K-r 
CD T S „ lg - 7 X - X a . / - F 1 0 5 . 1 0 6 ^ ^- -y F 7 - ^' t S fc /-£ <D « S 
§ ^■^l'- 7°te L 7 I - X 2 3 0 1 S o ^'"/l'- 7°li L 7 X - X 2 3 0 1 t3 T , M 

Bmmmmicm':st . ;i' - F X - 7° i o ? ^ « . X - F i o s , i o e © - F X ;F - 
T'l O 7'\ol)PAtcj;D. l|z:7x-Xi?fe5;F-FX;F-X7x-X2 a O 2i::&S„ 20 
c:o|gz:7x-Xi?tt. ;F-FX;l'-:/i o 7rt©X-F i o 5. i o ewafi^cfc'V^T 
. ;F-FX;F-:/i 07rt-e«aoX;^-X» 602^fflv^fc3DESicj;5Bt^aft^ 
'ii o tt o ;F - F X ;^ - 7° 1 0 7 tc $5 1/^ T . n. - cD 7 ^ -b X tfil , S. fij ffl T t § X - 
F 1 J; D ^ H 7 X - X 7- ^) S -y- 7 X ;F - 7° 7 X - X 2 3 0 3 i: 4 o I! H 7 X - X 'c 
-t X X ^l- - X 1 0 8 © X - F 1 0 5 . 1 0 6 IS ai {i t3 T s -9- X X ;F - X 1 0 8 

rt -r- l-t a o X - X a 6 o 2 ^ s /c 3 d e s o eg a fB ^ If 9 □ 

B12 4tiX;F-X1fSlffiSlg|5 3 0 2lc$5tj-§a--X7^-feX ifl^ff^n---tf7^'-bX 10 

ffliMa2ioQ©Ma#)ii^^-raT?^§o a-Hf*^e.os*^Sit#tj-§^. :x-+f'7 
^7-trx$ij»ffiii2 1 oo^m-ox-Fi 0 5 icisi^^rmmt ^--ifA^'e 

»l^-a:T Sl^ L. ;F - F X;F-X 1 0 7 # j[iP L /£ Bf T' * M if 5r E ft L X - F 1 0 5 30 
©#,eXnX^Ai:LT«I#5-&Tfej:l^o 3.--tf7i'-feXf|iJ»ffia2 1 OOa. ;F-F 
X;l'-X7x-X 2 3 0 2^§lMi-9-XX;l'-X7x-X 2 3 0 3 m<D^mmV^ ^ (X 

-r -y X 2 1 0 1 ) o 

X ^ xXb-f tc ra-^-7 ^ -bx«i^/ej . rn-^f' 7 ^7 -b x«iis<jj . r -9- - X f ij ffl 

J % « /K L ( X X -y X 2 1 0 2 ) , a - -ff fij ffl f § t O ^ S L T t B IV 31 K (c J; D 

. :l-^7 ^ xmrn^mm iz i i o) . :i-^7 ^ -tixmrnfAmm (2 1 30) . x 
xx;i'-X7^-bx«Bi^ffla (2 1 5 0) ^^tf-rsc 

02 5ti. a--!f 7 ^-trxffl^^ffla 2 1 1 0 otoa^ii^sf o 

H 1 Xr>yXi:LT. X;l/-X7^'-trXx-^'^-X3 0 StcTSaLTV^S;!/- FX;F 
-Xl 0 7C*fr?.X;l'-XWiI-r-X;l/6 0 Olca^$nTi/^§*XF^^r-i'XXP 40 
^lc«^fS (Xx>yX2 1 1 1) o ;F-FX;i'-Xi 0 7tc>(fr5X;F-XeaT-X 

;F a . fi so 6 0 7 O X U 7 t - F ^ ^ ^ n T 5 T 5 o 

m 2 X X >y X i: L T . n - if' A'^ A ;b L fc X X X ;b - X 1 0 8 L T S g L fc « S © * X 
F ^ ^ S it , X ;b - 7° 7 ^7 -tr X X - ^ - X 3 0 8 ± tc fr L X ;F - X ^ H X - X ;F 
600^7nX-FL, fiSiJ607^XX^L. ^XF^^SS-T?. (XX'yX2 1 12 

) o 

3! 3 X X >y X t L T . ffi O X ;F - X W if X - X 6 0 0 O X ^l^ - X SlgiJ ? 6 0 1 t - S t 

^i.>x;i/-Xiffisij? 6 0 1 :^mmL. ff ui/^X;u-xwax-x;u e o o t x;i'-Xiffigy 

?50 l^aSSf?) (Xx>yX2 1 1 3) o 

m4XX>yXi:LT. +i-XX;l/-Xl 0 8-e«aOBi^ffl(7)X;l/-XSl6 0 Z^^figL. 50 
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fr ti/^ 7°BSlT-7;l/ 6 0 0 ic^^ L. H W W IS i: 3 D E S ^B^^7 /Id V XL 

tLXm^t^ iX7--yf2 1 1 4) o 

m 5 ^T-y-f tLX. ^y^Jl-f I 08J&mfi!t-rS^TO^>yb7-^aS§l 05B. 

2 1 1 5 ) o 
[ 0 2 3 1 ] 

+J- 7" - 7° o ^" - 7° i« SU ? 6 0 1 . ^" ;b - :/ ^ « IS -r § ^ 7 - F o X h « - K . +?- 

7'>^-;b-7°©i7";V-7°» 6 0 2 . ^ <D W 581 ffl PI « f § o *7 l^-A 2 6 0 1 Ei . T 
CP/UDP5IfSMaSP 3 0 3^:n-LTUDPx-^^^Ai:LT3Mft^n, IPKtftgP 10 

3 0 4 lCfcV^T;l'-h^;V-7"l OTOy/b-T^StlCjcDHt^lk^niMfM^nSo #/- 
Fj;D3SjM^n5ESii7U-A2 6 0 2 tcj;i5. hy-^^gg'^iOjMfS^Wig-r^ 

7^^~;^-7f1^iSS*7^-A2 e o 2^l?5ltTfec!;v^o ■9-7^";l/-7MlJfiScS5}<7lx-A 
260 1^3MffliT?>i5. /-F1 05, 1 06CD4^XF«A^5IP7FL-X^|#§*XF 
^ $ ^ /-£ U V' ;l/ M * ^ I P fl g|5 3 1 0^B^?>o I P 3i ft SMC 3 1 0 fi ^ X h 
« . I P 7 F b X . R tf" X - 7' ;HI S B# M ^ B a -r § ^ ^ « fiSc T ^ U y ;l/ X - 7" 

;l/^lt^L. *XF^t-aT^IP7FL-X^1*^L. W^icti t V ^ - > M t t ^ 
oX-7;brtlcM=i-r§*XFi&A^*iH/^^#. ICMP Echo Rquest/Re 20 
p 1 y J; D *X F«A^^7 F X O 5* ^ ^ U 7 ;!/ x - 7 ;V tc 4"^ X F « I P 7 F 

[ 0 2 3 2 ] 

^ 6 O X f- 7 7° t L T . -9- 7' ;!/ - 7° 1 0 8 ^ mi&t ^ ± y h U - ^ mmicMt ^Mit 
ffl©SA900^:Sfi in SA900^fFlS-r€. (Xr-y 7=2 1 1 6) o 
El 2 7 fC S A 9 0 0 A <D tS /ijc ^ /Tn -r o 
[ 0 2 3 3 ] 

mitm S A 9 0 0 A t LZ li. SP I i:LTi^';b-7°^giJ?60 l^SSLs iMfSjcI P 
7FU'X^LTg^-yF7-^««§07FbX^K^L. iMffl^fel P7Fl^Xi:bT-9-7 

^^•;l/-:/^1ifiSc-rSffl^--y F^-^Sgi^I P7FbX%KS-r5o *^ffiJf^,«T'tts 7 30 
nF3;l/i;LTESP^, t-FaF^yX4-°-F. Bi^7;l'3UXAti3DES. 
»i:LT-9-7'^';l'-7°O^^';l'-7°il60 1^S^-r?.o SfifflSA900Ai:LT«. M 
fiSi P7F^Xi:LTftt^^>yh7-^'«g|tDI P7FbX;S:. mimfcl P7FUXtL 
Tg^t^-y F7-i7«§g(D7 FbX^&ISJgfS^^'UiJMfiffl S A 9 0 0 i:|B]Clifig-e$.So 
[ 0 2 3 4 ] 

m'70Xf>y7'fcUT> a-->f'tcJ;?)7^'-bX:x-1f"I Dt/^X7-F^x-^A^'l'>' 
^f7x-Xg|52 0 9 i:x-^tlitl^>'^7x-XgP2 0 8 ^ :ft ^if H if ^ (Xx-y^ 
2 1 1 7 ) o 
[ 0 2 3 5 ] 

^8<DXr<y7i;LTl!|iEil2002^4^-r§ (X-r>y7'2118)c 40 
[ 0 2 3 6 ] 

m 9 n Xt- -J 7° t LX . =L - ^' K L fc^ (D y t - y Fr^5^©;^^UA--F 2 0 7± 
a - -tf' I D , X 7 - F . IS E a 2 0 0 2 . g * -y h 7 - gg © z;- p - ;l/ I p 7 F 
U X . +f 7' i'" ;l/ - 7° O ^' ;b - 7°li gij ? 6 0 l ^ » ^ 3iA ( X r -y 7° 2 1 1 9 ) o 
[ 0 2 3 7 ] 

m 1 OcDXf--y7°i:LT. ^';l/-'/7^-bXx-^?-<-X3 0 8©7^7-tXn.--tfgar 
-7;b 2 0 0 itgtEa2 0 0 2. :i-^flD. ^t7i^;l/-y(D^7";l/-7liKiJ?^S5£t- 
§ (Xf--y7'2 1 20) o 
[ 0 2 3 8 ] 

:x-^'7 ^ -iixmn^mmz 1 1 0©gl|-efe§lll 10XT>y7'i:LT. -^-^^^Iz-y 50 
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1 0 8 ^m!&t ^^X (D y ~ f KnLX . ^f^)l-^7i^^7.mm&7U~.L 2 6 0 3 
^#fi!cLjlifl-r§ (7.x -yy2 1 2 1) o 

[ 0 2 3 9 ] 

mi-. +f ^i^'/b- 7°o 6 0 1 . a-^f i D . fgSEil 2 o o 2 . ^-^X 7 - F 

*^p>««L. hmhfc^y ^- )i-^m-&m^-7 v-K 7 0 1 tmmo^mxmmRxfmm 

5t IS ^ It -5 o 
[ 0 2 4 0 ] 

;^tC^j-7^~;b-7°ia?gS*7l/-i=>2 6 0 1 . Rt5+?-7^';l^-7°7^'-bXftiaS7^-A 

2 6 0 3 ^S«Lfc-9-7^;l/-:/^ 1 0 S^afigt-^y- F 1 0 5 . 1 0 6 ICfc'ltS 10 

-^gaffiagps 0 2T'(D+)-7"i^;i'-:/sa5!tii2 2 0 q xfx^n^M^m^mz s\c 

/TV To 

[ 0 2 4 1 ] 

^ )i~-ym.'&^m.2 2 0 oti. Fy;i/-:^7x-X2 3 0 1 ^:^\^\t^'f^')i- 

7'7x-X 2 3 0 30#(D^^eij-r-t5 (Xf--y7°2 2 0 1) o 

4ty/7;i.-ya§ji!2S«7P-A260 i^gttMtt/c^fT. X;^-y1i^ix-7;^600 

;Sr7n^-hL. 7U-A*^J#otf«^^5£^§o ;^fciifflliSA900i:SfllfflSA9 
0 0^3.--tf'7^-bXffi^SS!lJ12 1 1 OT^Lfccfc^iC^^-rS (Xf--yy2 2 0 2) 

[ 0 2 4 2 ] 20 

+)-X^";l/-7"7i'-bX«iS^7b-A2 60 3^Sit{titfc«-a-^ Sy-F*'«ll-<D/- 
Fl 0 5 7- ti^ ^;l/-7°7^-fe7.x-^-^-7.3 0 8©7^'-fe7>n.--ifSiix- 

7;i/ 2 0 0 1 ^7u^- F L. 7 ^';b-:/iiSiJ? . i d. 

IS liE it s A X 7 - F ^ IS £ f 5 ( X X -y 7° 2 2 0 3 ) o 

^t7^';b-:/S5gS*7ix-A260 1. ■9-7y;b-:/7^-bxttiSAg7U-A2603 
(D^mmmthx . m 2 q ^Tr^t ^mmmy ^ 2 ^ o 2 -^wAt ^ (xx>y:/22o 

3 ) o 

[ 0 2 4 3 ] 

[ 0 2 4 4 ] 30 

i^c^t7X;^-X7i'-bx«r^mffla2 1 5 0 ©g^ii^a^t-o 

S^l«fe5v^tt:x-^■A^■^t:/^';^-X7^•trXttPJa^a«Ufc«^, H2 6t^-r. ^ 
7 - 7°)IIS(S*^7ST 3 V > FitSiJ^ i: +f7-^^';i'-Xo X;!/-^!!^!]? 6 o i ^ « 
fiJc-r?.-y-7X;l'-7°«¥S(gj}<7^-A2 6 0 4^-9-7' ^'-^P-X II )S-r§:^TO^--y h7- 
^lifHt«bT}Mff -rSo ^om, «a«-tc J; i9J§£?n/i-9-7X;P-7°OX;l'-7'ilgiJ 
?6 0 l%J#-3X;l'-7'SSlx-7';l'6 0 0, 7<>-trXRt5-tr + ^'Jf-'C7yi^x-i/3 
y^ft?]KL. jitJi£;-r-S7^-feXa-^fWa-r-7;b 2 0 0 iw^^lSffl^iiJ^-T^o 
[ 0 2 4 5 ] 

* 7 u - A % s ffl b /£ ^* ;u - y « a M a 3 0 2 -e © -9- 7 ^* - y g a M a 2 2 0 0 43 

t/^T. ia2 8lC^-rj;9ti:. S{HLfc7U-i.lCcfc"9liS$n/-c+?-7'^''";l'-Xi6SlJ?6 0 40 
i^ffo^~;l/-7'«af--7';l'600i:SA900^ffli^L (x-f-y y2205) . S7 

- FJb^n-oy - F 1 Q sxh^m^. 7 ^ ^7.a--^'^my--f )i^<onmm^mmt ^ 

( X f- -y 7° 2 2 0 6 ) o 
[ 0 2 4 6 ] 

i-XT> ^t7^;l^-Xl O8C43lt§affl^|li%029*^?,H3 i;g:ffit/^TiS0.lt-§a 
[ 0 2 4 7 ] 

a-^f7^'-trXSiJfflJ5aa2lOOJ;f9^ rVx:/b^^i:aS$nfc ra-+f7^-bXlSS 

^j, ra-tf7^-bx«Maj. r-9--trxfijffljA>p..^--fti^ rnt-ifxfijfflj 50 
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^mmt^ (Xy-y-fZ 1 02) o 
[ 0 2 4 8 ] 

mz 9 ictoh^x . ^ -f ^' - -f T "7 ^ X mv&mw^m z 1 5 0 (Dmm^m^Bt o 

x-y 7°i; LT. t:L-+f' I D. X 7 - F. Mtim^ mW. L fc ^ ^ V - K 2 0 7 

© ffl A ^ f § /T^ -r 2. ( X f- 7° 2 1 5 1 ) o 
[ 0 2 4 9 ] 

n.-^'fj^^^^Jij-VZOinrnX^Sif. m Z (DXt- y y° t LX . ;^^-U*-F2 0 7 
±(D=L~--^ I Dt1CiJtt^if)l---f7^'^7.7'-^^-X 3 0 8±£D7^-bXrL-+fmii 10 
T-f;l^Z 0,0 1 ^^^^ ^ 'J A - K±0^ ^ U * - K*^~IB'« L Tl^ § /^X 7 - K i: 

7^-bXa.--if©ilf--7;l/ 2 0 0 1 (D/^XU - ff^-mt ^ C t^mm-f ?> (Xr-yT" 
2 1 5 2 ) o 
[ 0 2 5 0 ] 

-L-4f i DA^-gcr§7^-t:Xa--!fga-r-:7;l/l 2 iTb'^^iV^Ji^. *§lMi/^X7- 
¥ f]^r--^(Dm^. llliEx^-^&xi'XT'U'l'tca^L^ Saa^^T-rS (X-r-y7°2 1 

5 3 ) o 
[ 0 2 5 1 ] 

m 3 (D Xt- y 7° t LX . :i - V t^'^S. L fc V ~ X M Jtt ^ 7 7° V - 3 y^^WlL 

. 7 7° U ^ - ^> 3 y 7^'- ^ ji S IS K #ij ffl r 5 V ^ -y F fj 0 ft /c fl 4-: - h S ^1 ^ A 20 

#-r5(Xx-yy2 154)o 

^^U A - ¥ ±(D^';i-^mm^6 0 1 i:-a-r § ^'";i'-ysax-:7;^ 6 0 0(D.i<- F 
SEIXU76 0 Slcy^ry hJC|iJfttt^3lfl#-h#^^KS-r§ (Xxryy2 1 5 5) 

[ 0 2 5 2 ] 

^4cDX-f-y7°i:bT. y-FA^:3.-^f'7^-feX^;>ci", 7°n-feX2 3 0 0^igi]L.. ^t7':i7" 
;l'-:/7^'^Xttfmffia^ll7-r5 (XT-y7'2 1 5 6) „ 

* ^ SI ff^ SI T a . 7 y U ^ - 3 > ■/ n ^' ^ A 3 0 1 T' a . ?I] W Ma i: b T . X - ^ }M 

/cfeicy -y F^^t-T'yr^ Iridic jMfiTt 4^- F#^^y-y-y FmagPA^sffl 
oft^tsns^s ^■7^')i~-f7'>txmmmMz i sotajnT'tsi^-rso so 

[ 0 2 5 3 ] 

US 0fca--tf7^'-tXt>c®:/n-feX2 3 0 ooffl-a^Hi^f^t-o 

n--<f7^'-bX«ffiyn-bX2 3 0 OTfi. n.--tf;bMt';*-F 2 0 7 ^nVfcm^^ 
tUL. I 0 8 (D7 ^ "txm^mjt ^rcib. - :/ 7 ^ -b X ffi 6t tS Ma 2 

1 5 0 fcv^T ^';l/-yga7"-7;l' 6 0 0 LfcjMfflTCJK- F #^^iiJltt-§ (X 

r -y 2 3 0 1 ) . 

[ 0 2 5 4 ] 

cntcj;*). a-+ftcj;?,-it7"^;l/-'/3 0lfy ilJ ^45±-r§3|i:*^nIlg-efe?.o 

, :x-^ffim^hrz7 fVr-i^ a yiz ^ ^- )l'--ffy(D I P ^ -y F jM S ft # 

Hi ^ ^ ^ o 40 
[ 0 2 5 5 ] 

la 3 1 a . I p s e c ft ffi a gi5 3 0 6 CD ® a ¥ Hi ^ ^ -r CD S 5 o 

Ig 1 CD X r >y 7° t: L T . ffl ^ >y h cD iM fl 7t I P 7 K b X i: ft 5t 7 F b X ;^)^ - S "T 
SA^SA7'-^'-<-XJ;DltilT§ (Xf--y7°4 1 0 1) o 

m2cDXf-'y7''i;LT. :i - ^' 7 ■> "ii 7. 'mmy° ^ X 2 3 0 0 MWl X ^j: if tl SA 

9 0 0 (D mm fo'' }l - ¥ X h ^ CO ^ ^ (X-r-y7°4 1 0 2) „ mnfc I P7FbX 

. gflTCl P7F^XA^-aL/cSA 9 0 0cD^;l/-yiiSU?6 0 l^#0^~;b-7°Wa 
r-T'/P 6 0 0 oaSiJ 6 0 7 IC cfc O . ;V - F 9)^~-f 1 0 7 § S ^ fij if "T § o 
[ 0 2 5 6 ] 

^CD S A 9 0 0 A^'^SSLTl^i. ^^^l^-T'ii 6 0 2 ^fflV^T. I P '^r >y F O Hf ^ ft ^ 50 
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I Ps e c mm^m^n o iXr-y f 4 1 03) o 

a--if'7^-bX«Syn-bXl 1 0 0 ti'^^Wj ^ T & HIS . msnT.y'y^tLr. SA9 

0 0 (DMWlff ^(D^^mL (XT yf 4 1 04) . mm L fc S A 9 0 0 <D S P 

1 K M )S f 5 ;l/ - y « a X - ■/ /I' 1 2 2 ff) - b # ^ i: M fi '^r -y h T C P $) S U 

D P -y O ft Tt; 4^ - h # ^- - Si T 5 H 9 ^ IS ^ ( X f- 'y 7° 4 1 0 5) . -mh 
fdi-B^. ^OSA900^J1V^TI P s e c31fiMa4 1 03^f?9o 
[ 0 2 5 7 ] 

-afSS ATb'^sav^ig-^. Sail^HT-TSo CO^^. I P s e cffiil^fftJ-ft I P 
y h t'^mmt ti^^. -r ^ 111 tc J; 0 S ft iiJ O 7 ^ -b X SiJ SP J; D . ;y - h i/- ;i/ - 

■f & ^ iiv y ^' }i ~ -f nmrn t L r n o lo 

i^tc, H 3 1 ic^t^mr-min Lfc I P /•^'Ir >y h ^SrSffl t /S^^cD I P s e c S«5!La# 
)IM -r O T' -5) o I P 3 1 4 CD I P v 6 §{8 M SfLil^P 3 1 1 *5 1/^ T . A H 

-y^-~S§V>ttE S P^N-y^^^Sfflz-^^-y hlcS§Ji^I P s e cSflffiag|53 1 Zttlgi) 

$ n§ o 

[ 0 2 5 8 ] 

1 P s e cSf8ffia!;$3 1 2 X'ii. AH^-y^S^V^tiE S P'N-y^^'tCltSnSS P I t 
-mt ^ S S ky-'~ - 7. 10 mrnhfc S k y"- ^ ^- XK^tn^^ 

[ 0 2 5 9 ] 

AH-\y ^'h^^^itE s p ^ff^mi^^m^. smr ^ ^xmw^ 3 1 6 ic^ 10 . iPs 20 

e c3iMAMT^nTV^*<Tfe> 7 ^ 7.mmM MT ^ - b > ^Mt ~ f JV 7 0 0 

ii^tt. ±fitffiii«ncfe/c?,TCP/UDPSfflffflg!i}|5 3 1 S^/^^^yh^^ltH-To ^ 
n © I P ^^"r y hii. I C M P -y hmnmm^^'r y h T it n «\ ;v - h ;1/ - 

[ 0 2 6 0 ] 

Hsitc^-riPsecKifssafflTtt. )M{B/^^-yhtc?=fjs-ri.sA9oo^^B#fc. y 

- y g a r - •/ 6 0 0 O S gij -9- 7" T ^ D . - h S ^ iM ft 'Jr .y h © 3^ ft ^ *° - 
MI^A'i^g(f§c:i:lcJ;t) S A 9 o oo^S^&fTcTv^^A^ i'";l'-7'7i'-bXr-^ 
'^-x 3 0 8 rtti:+)-:/^~;l/-^^SiJ? ^tBHI-S 7 ^ T ^' 7x u 7>&l3it. H2 9tfc'it so 

§ » iS -r S ^" ;b - 7° B a f - - ;b 6 0 0 7 7" U ^ - 3 y e i) iSf If S M ft 4-° - h # 
^1 ^ f H ■» -r S ( X f- -y 7° 2 1 5 4 . 2 1 5 6 ) iXt>ir)K. mET f- ^ f X V T K ^ ^ V 
A" F 2 0 7 }ClBtl5tlTl^§ i^';l/-yiiSiJ? 6 0 1 ^KSt. I P s e c MffiffiS 1 3 

2 Tti. mmr 7~xu 7o^';i/-yiigy? 6oii:sA9oo<DSPi A^-a-r§ 

c:i:ic<J;0. SA900%1t^-r§ui;toItgi?fe§o 

[ 0 2 6 1 ] 

iioii^, «ft(D7^U':r-i/3>yn^^i:.3G i;&isi^ii{^$-a:Tv>^^^-efeMfe 
7^7-^ 7"x>j 7cfev^T> y;v-^iisij?6 0 1 fctt^wa-rtitfai/^o 

[ 0 2 6 2 ] 

unfcML, ^')]^-f'emy'-f)V6 0 oTt^-vm^^'smr^m^. 7fv^-iya 40 

yyn^'vA 3 0 1 icMlthrcmW.<D^s- h#^A^*JST-fe§o 
[ 0 2 6 3 ] 

C(D.tolZ. ±tail^{ix.fclia<Dy-Fl 05. 1 06 -e I P s e caffl^ft97-F 
*^?>Sl3g-r?i;l'-Fi7';l^-7°l 0 7tCteV>T. rL-HfVy^^7x-x^lix./cSi-oy- 

F 1 0 5 ^ mm t ^ mm (D y - V 1 0 5 , i 0 e « eg -r 5 -9- 7" y" - 7° 1 0 s ^ « 

ft L . ^(D^y- i;-jv~-f I 0 8 T « ii o 85 r O Oil 5| a D I P s e c a ft % ^ S 1 
Si^tc. SI-(D7-Fl0 5tfcV>T. V7 ^Ji^-fm'&^^^c^y ^;i--f<Dnm^^ 
mRxfrnmrnw z 0 7tciett-r§a--!f7^-bX'itig^ftto^-&t>'^i:o/-F 1 0 5 

. lOStcML. ;V-Fy;V-7°l0 7OBg^ii{8;&fflv^T$i3ML. V^^'^l^-flOS 

^mmt?>o 50 
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[ 0 2 6 4 ] 

cintccfcf). 07^«^t-§y-Fi 05. i 06tc*3V-T. -y-:/^";!^- 

fj ffl T § ti ^ . f a '» « ft 2 0 7 ^ / - K 1 0 5 tc A n . 3. - If" CD E IE ^ nmt ^"^f )l' 
-7°1 OS^figiJ. fiJfflT§7 7°'J^->'ay30 l©Ji^-hS^608^y-Fl 05 

jcfev^Tiae-r s^a^ii^. /- F*^5.3Mfl-r i p s e c *3i^t 

, S A 9 0 0 « B# K , M IB t° - h S ^ i: )i 18 ^ -y F © U D P $ 5 VMi T C P 'A <y ^ 
«iS-r2.31fflx;i}-°" F#^|A'!-aLTV^?.Ji^, ^© S A 9 0 0 $:fflV^TlE)M^fT-5 C i: 
C ct "9 . -y- 7 - 7° 1 0 8 It O a ft & ^* - 7" © 3. - -tf' 7 i7 -t X M fP ?r ^ it T:' 

[ 0 2 6 5 ] 

^j)?lC03 2*^61113 e^ffiV^T. i^g|5^->y F7-i'A^?>0-y-:7'^^~>'l'-:/'^®7^-irX«^ 
M;^/ca--tf*^-9-7"i7';l/-7"'\07^-feX^IIS-r5^)ii^*-ro 
HI 3 2 a. *||iJfSilf$S|Oi^XrA«^©-^J^^-rHTfe§o 
[ 0 2 6 6 ] 

* ^- -y F 7 - ^ & 5^ gP ^- 'y F 7 - . 5'^ -y F 7 - S Ij! L T § X F 4 2 0 
1.5Sfi^-'yF7-^7;^til5g-r§7-Fl05A. 106B. 106C. 106D*^C)« 
figL, utlP)©/-F 1 05. 1 06 «,;l'-F^";l/-7°lQ7?:«fi)cLTV>5o*«fi)c 
t-ti. 7-FA10 5AA-^a"-if'^y^7x-X^fi^rcSI-O7-Fi:L, ±atfe* 

Sft JfJ M O ¥ IB . 7 - F A 1 0 5 A , 7 - F B 1 0 6 B , 7 - F C 1 0 6 C « fig 20 

t f )\^-f I 0 8^«aLTi^§^:1-?.o 

[ 0 2 6 7 ] 

1 O 8 7 ^ -b X«^Rf o fc I D. /■^ X 7 - F . Sf>II» 

^^^«LTV^5^^'JA-F 207;&^oT. d->XF320 lA^B+t-T"^*;!/-:/! 08 

^ 7 ^7 -fe X -r § ? ^ t- o 

[ 0 2 6 8 ] 

* X F 4 2 0 1 ± a . +j- 7' ;F - 7° ^ © 7 ^ -b X iliO M ^ ^ tcib <D ^ 7" ^' ;b - 7° 7 
i'-fc:X^'^'i'7>Fffla 430 l^tT^V7F7x7^^i6*SLT$.§tL. a-lftc 

[ 0 2 6 9 ] 30 
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